Humans are emotional beings and can be easily manipulated through emotions such as greed, fear, and desire. Attackers exploit these vulnerabilities through social engineering attacks, especially in email-based schemes. This kind of email-based attack has proliferated in recent years, making it time-consuming for analysts to investigate these suspicious emails. Our security researchers here at Logpoint have been working tirelessly to create playbooks that can aid organizations in performing investigations and responses. Gone are the days when analysts had to spend tens of hours collecting data, enriching IOC, investigating, and responding. The playbook can significantly reduce the average time between detection and response, bringing it to an all-time low.
Phishing being common among social engineering, attackers often target large enterprises with spear phishing and whaling campaigns. With increased security awareness, such emails are generally reported to the security team. However, threat actors often incorporate new techniques making phishing difficult to detect and comprehend by users. The security team must act promptly to gather all the necessary data to conclude. It's as simple as clicking a button, and all the crucial pieces of evidence appear in the case.
The playbook can be triggered either through incidents or executed manually. Below, we will discuss the manual execution and also showcase the playbook that can be triggered automatically.
Latest Phishing Attack Trend
There has been a rise in phishing emails leveraging QR codes as a source of attack. Dubbed Quishing, it's very difficult to detect by the email security gateway and is easily passed to the user. While the phishing email content remains the same; showing some emergency issues or incidents and asking them to follow the link. However, in this case, the link has been replaced by a QR code that has to be scanned by a camera usually via a mobile device. It's a simple yet effective method to bypass the email security.
To initiate the investigation, we require the message_id. This refers to the id field in the output provided by the O365. Please do not confuse it with internetMessageId. This can be accomplished using the playbook named "Search Email - O365", which accepts input such as sender, receiver, subject, userId, and searchby. This playbook searches within the user's inbox, using the parameters provided in the playbook input and outputs the message_id. This message_id is used to identify the email uniquely in the inbox.
The input parameter sender, receiver, and subject are optional but needs at least one parameter to initiate the search. Providing all three narrows down to the exact email. After executing this playbook, the result can be found in the Cases. Clicking on "Show Json Data" will display all the results returned for the search.
There could be multiple results depending on the input variable. We recommend manually reviewing these results and extracting the specific message ID. Clicking on the "Show JSON Data" instruction will show you details of the email consisting of the maximum information required, including the mail read status, that is needed for the investigation as shown below.
After this step, we can proceed with another playbook called "Email Forensics - Lite". In this playbook, we have two inputs: userId and message_id . This playbook offers a wide range of actions and scripts to extract as much detail as possible.
This playbook collects information such as sender IP details, URL details, and attachment details including QR data. These artifacts are being extracted from the message header, email body, and included attachments. In light of the recent Quishing attacks, we have included the QR decoder too, which would scan for the QR code in the attached image, and decode it. If the data contains a URL, it will be added as an artifact. The extracted IP and URL information is enriched using threat intelligence sources like VirusTotal and RecordedFuture.
Additionally, we also provide the email's body content and even the attached image so that analysts can directly view the email's contents and gain a new perspective.
Below we can see the case for each extracted URL/IP with its reputation and enrichment.
Clicking on the Show JSON data on URL Case Reputation and IP Case Reputation.
All these IP/URL and any other IOCs are added to the artifacts as shown below.
To make the investigation easy for the analyst, we have also included all the extra information that could be relevant.