Join Pete Zerger for an in-depth discussion in this video Investigating malicious activity patterns, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] When investigating malicious activities, the first step is to understand what the user did and what was the immediate impact of the attack. A few good questions to start with include did the user open the email? Did the user click a malicious link? Did they open an attachment? Or did the user reply to the email? Did the email provide the attacker with any sensitive corporate information? Did the user provide or enter their credentials anywhere? Or did the user perform maybe even a wire transfer as instructed by the attacker? Answering these questions will help you determine the impact of the phishing attack and give you an idea of the likelihood of future attacks.
Furthermore, it will help you determine the urgency of remediation and how quickly you need to act to mitigate subsequent attacks. Next, you want to understand the nature of the attack and what the attacker was trying to achieve. Does this look like a sophisticated attacker? Did the attacker use malware? Is it likely this attacker will target this person again or somebody else in my organization as a spear phishing attack? And did the attacker use valid information to phish the user? So is that information publicly available via social networking websites, job posts, etc.? Is this the first time we've seen this type of attack? And did the attacker try to spoof or use a similar domain name to lure our victim in? Or perhaps, did the attacker use a fake log-on website to capture user credentials? And finally, why did the attacker use that type of file extension? Always consider what you can do to prevent this attack in the future.
In step three, we'll be able to determine if the message was actually a real phishing email. Not every single report you'll receive will actually be a phishing email. In fact, you'll likely get reports about unwanted email, newsletters, or spam that aren't actually phishing. And while many of these are a problem for the user, it won't necessarily be a security risk or an impact to the organization. Microsoft does have a few suggestions on how to analyze and determine if an email is actually a phishing email.
It's very important to remember the messages you'll be analyzing can be malicious and therefore you should not open or trust attachments, links, or images. Typically, if it looks like a phishing or spear-phishing email, it probably is. Some of the more common ones are spoofing, which is when an attacker sends an email using a domain that looks identical to your domain. There's look-alike spoofing, which is when the attacker uses a domain that looks very similar to your domain.
In many cases though, it will contain look-alike non-Roman characters, perhaps including characters with special accent marks. And then there are display from attacks, where the attacker sends an email using a free email provider pretending to be perhaps an officer of the company, simply using their personal email account. So what should I look for in anti-spam message headers? Analyzing the anti-spam message headers will actually help you determine why it was not captured by the Office 365 protection mechanisms.
You'll want to carefully look at the spam confidence level to determine if the message was not detected by Office 365 or if it was able to bypass O. 365 simply because it was whitelisted. So we can review the message headers. If the message was authenticated, that will actually help us perform a trace to determine if the message was spoofed. The IP where the message originated can also help. And finally, you want to make sure the attacker has not been whitelisted. If it is whitelisted, emails will be able to bypass the protection rules that will protect your tenant against phishing and spam.
For step four, we need to focus on remediation. Did the user open a file? Was the user's account actually compromised? And how do we deal with those spoofed emails? For example, we can create an exchange transport rule to track or block some of these spoofing messages we've detected. Always report phishing to Microsoft, law enforcement, or your preferred scam-reporting website. After stopping the bleeding, you can investigate the impact of a phishing attack in your tenant by leveraging your Office 365 activity data.
And finally, as part of your long-term strategy, investing in phishing awareness education in your company makes your users your partners in preventing future phishing attacks.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure