Spear Phishing: What Can you do?
April 28, 2017 5 Comments
I have seen a sharp rise in the number of spear phishing attempts my clients are subjected to. I’m sure this trend will continue. Of course our best line of defence when protecting our clients is user education. We can of course try and make things easier for them.
Our most recent example was quite lacklustre by comparison, they hadn’t even bothered to try and find a similar address, just some random Comcast account and setting the ‘From’ name to that of the Executive they were trying to impersonate.
I decided that to counter this we can tag the subject of any such email and then also generate an incident response within Office 365.
Using Office 365 Transport Rules, this is very easy to implement.
In PowerShell we can define our Directors Names. We can also define our Incident Response Content.
$directors = "Robert Pearman" $incidentContent = @( "Sender" "Recipients" "Subject" "Cc" "Bcc" "Severity" "Override" "RuleDetections" "FalsePositive" "DataClassifications" "IdMatch" "AttachOriginalMail" )
Next we can create the Rule.
New-TransportRule "Company Executive Spoof Transport Rule" -FromScope NotInOrganization -HeaderContainsMessageHeader From -HeaderContainsWords $directors -PrependSubject "External Email:" -GenerateIncidentReport security@y38.info -IncidentReportContent $incidentContent
Now, when an email is received and the From address matches our Directors Name, our support team will get an incident response, and the recipient will have the subject modified.
You might think – well we could just delete them or set the subject to !!FRAUD FRAUD FRAUD!!!!, however there may be legitimate reasons a recipient gets an email like this with a directors name, and from experience I know people can get quite put out if you start accusing them of fraud. For example, your director may be named John Smith, or he may be emailing his PA from his personal account, we wont go into reasons why.
Great idea Robert. Just wondering how would you modify the script for multiple directors? Something like this using a comma separated list?
$directors = “Dan Druff”, “Barbara Blacksheep”, “Jim Nastics”
(using amusing fictional directors names)…
Yes that should work fine.
Or put them in an array like the arguments for the incident response.
Thanks Robert.
My god! Why didn’t I think of this. Brilliant