Process for Responding to Phishing and Spam Email Reports
I get one help desk request more than almost any other: Spam and phishing email reports. At my current gig I probably get three or four a week. This is way less than my previous job where there'd probably more than that in a day. There's enough that I've pretty much developed a kind of fire and forget process for dealing with them.
I know that this process pretty much discounts the content of the phishing email. It doesn't really matter what the email is and honestly, I don't really need to get involved with each and everyone but my coworkers seem to feel more comfortable is they report it and appreciate the response.
Note: This process is for a run of the mill report of, "Hey! This email looks phishy. What should I do?". If there's a particularly successful one or it appears that there's a concerted effort you may want to dive deeper.
So once the report comes in I send this as a new email (not a reply because I don't want to propogate potentially harmful emails):
Hi.
This certainly looks suspicious. Please mark this email as phishing and/or junk and delete the message. Do not click any links, download attachments or interact with the content in any way other than what you've already done in reading the email.
If you have clicked on any links or downloaded attachments, please let me know asap and we'll work together to resolve any issues that might have caused. There is no risk to simply reading an email. The risk comes in following the instructions provided in the malicious email.
Thanks for reporting this to me. I'll take a look on our email server to ensure this isn't a bigger issue than a mundane phishing email.
Rob
Now, unless there's multiple reports, I'll often leave it at that. Marking the email as phishing or junk trains our Exchange Online instance and further attempts by the malicious actor will be quarantined. If, however, the email looks particularly problematic or there's multiple reports of a single campaign, I'll pop into the quarantine list to see how big of a deal it is. I may also post a company wide news post on our IT sharepoint site to let people know that there's an appreciable risk.
Such a post will look something like this:
Focused Phishing Campaign Alert
Hello,
There is currently a focused phishing campaign against our company. The malicious actors are using text and references to Alicat and Flow testing to appear legitimate. The subject lines reference both "Flow testing" and "Alicat", the text of the messages display as standard attempts to trick you into interacting with an attached file. Our malicious email filters are catching some of them but there's always the possibility that one will be missed because they're coming from multiple email addresses and taking multiple approaches.
The best way to identify whether it's a malicious email is to look at the sender's email. This can be done by hovering over the "From" field. If the displayed email address isn't what you expect it should be then mark it as a phishing attempt and delete it.
Please be vigilant when you receive a message that doesn't look right. Right now, be particularly skeptical of emails referencing "Flow Testing" and "Alicat" that have attachments or links in them that do not line up with what you'd expect from a peer, customer, or vendor.
If you have interacted with an attachment that appears to be malicious do not hesitate to let me know and we can mitigate any issues.
If you receive an email that looks like a phishing attempt, mark it as such and delete it. Do not download or open the attachments. If in doubt of the legitimacy of an email I'll happily take a look.
Rob
I try to cover three main points with these kinds of posts:
- What the threat looks like
- What to do with the email (which you'll notice is almost verbatim to the email I send out as a response to a report).
- How to identify malicious emails that fit this attempt. In this case it was hovering over the email address in Outlook to see that the domain doesn't make any sense.
Please feel free to use this as the basis for your process for responding to malicious email reports.
Comments