Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Phishing and Email

 

Use the JSA Phishing and Email Content Extension to closely monitor email in your network.

JSA Phishing and Email Content Extension 1.0.0

The following table shows the custom properties in JSA Phishing and Email Content Extension 1.0.0.

Table 1: Custom Properties in JSA Phishing and Email Content Extension 1.0.0

Name

Optimized

Found in

File Extension

Yes

Filename

Yes

MessageID

Yes

Originating Host

No

Originating_User

No

Recipient Host

No

Recipient_User

No

Subject

Yes

Target User Name

Yes

The following table shows the rules and building blocks in JSA Phishing and Email Content Extension 1.0.0.

Table 2: Rules and Building Blocks in JSA Phishing and Email Content Extension 1.0.0

Type

Name

Description

Building Block

BB:BehaviorDefinition: External Originating Host

Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients.

Note: Adapt the threshold to the size of your company.

Building Block

BB:BehaviorDefinition: External Recipient Host

Identifies recipient hosts that are not in the Corporate Email Domains reference set.

Note: The Corporate Email Domains reference set must be populated.

Building Block

BB:BehaviorDefinition: Potentially Hostile Originating Host

Identifies when an email comes from a malicious host. The host is malicious if the X-Force categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.

Building Block

BB:BehaviorDefinition: Potentially Hostile Recipient Host

Identifies when an email is sent to a malicious host. The host is malicious if the X-Force categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.

Building Block

BB:DeviceDefinition: Mail

Defines all mail devices on the system.

Building Block

BB:DeviceDefinition: Mail in Flows

Defines all applications related to mail on the system.

Rule

Abnormal Number of Emails to Invalid Recipients

Triggers when numerous emails are sent to invalid recipients (invalid domain, unknown user, malformed address, etc.). This might indicate a brute force attempt to reach valid addresses.

Rule

Email Attachment with Executable

Triggers when an email is received containing attachments with executable file extensions.

Rule

Email Attachment with Executable Hidden in Double File Extensions

Triggers when a mail attachment's name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe).

Rule

Email Received From Potentially Hostile Host

Triggers when an email is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.

Rule

Email Sent to Potentially Hostile Host

Triggers when an email is sent to a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.

Rule

High Inbound Emails Containing Attachments From External Host

Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients.

Note: Adapt the threshold to the size of your company.

Rule

High Number of Emails From Unauthorized Users

Triggers when an email that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing.

Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.

Rule

Inbound Email with Suspicious Subject

Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency.

Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.

Rule

Inbound Email with Suspicious Subject Keywords

Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency.

Note: Update the regular expression to include suspicious keywords.

Rule

Mailbox Item Deleted by Another User

Triggers when a mailbox item is deleted by a user other than the mailbox owner. This might reveal abuse of rights on a mailbox.

Rule

Mailbox Permission Added and Deleted in a Short Period of Time

Triggers when a mailbox permission is added and deleted in a short period. This might indicate that a user is trying to get access before performing an administrative action such as accessing or deleting information, or create a forwarding rule, before removing their rights to remain undiscovered.

Rule

Potential Leakage of Data via Email Attachment

Triggers when numerous emails that contain attachments are sent to an external email address that indicates potential leakage.

Note: The condition "and NOT when an event matches any of the following BB:BehaviorDefinition: Potentially Hostile Email Host" was added because the rule "Email Sent to Potentially Hostile Host" alerts on any email that is sent to a suspicious address. If you want to have this additional information, remove the filter from the rule.

Rule

Potential Leakage of Data via High Outbound Emails

Triggers when a high number of emails is sent to the same email address outside the organization. This might indicate a potential exfiltration of data.

Rule

Potential Leakage of Data via Mailbox Forwarding

Triggers when a mailbox is set to forward emails to an external address, which might indicate a potential leakage.

Rule

QNI : Email Attachment with Executable

Triggers when an email flow is received containing attachments with executable file extensions.

Rule

QNI : Email Attachment with Executable Hidden in Double File Extensions

Triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe).

Note: The Application property can be tuned.

Rule

QNI : Email Received From Potentially Hostile Host

Triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.

Rule

QNI : High Inbound Emails Containing Attachments From External Host

Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company.

Rule

QNI : High Number of Emails From Unauthorized Users

Triggers when flow content has an email sender that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing.

Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.

Rule

QNI : Inbound Email with Suspicious Subject

Triggers when a flow content includes an email subject that matches known suspicious subjects that are included in a Threat Intelligence feed. This might indicate spam or phishing.

Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.

Rule

QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers

Triggers when multiple sending servers send the same email subject in a period, which might indicate spam or phishing.

Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject.

Rule

QNI : Spam/Phishing URL Accessed

Triggers when a URL categorized by X-Force as Spam URLs or Phishing URLs is accessed. This might indicate that a user who is targeted in a spam or phishing campaign opened a malicious URL.

The following table shows the reference data in JSA Phishing and Email Content Extension 1.0.0.

Table 3: Reference Data in JSA Phishing and Email Content Extension 1.0.0

Type

Name

Description

Reference Set

Corporate Email Domains

Lists the email domains within the organization.

Reference Set

Executable Extensions

Lists extensions that are identified as executable files.

Reference Set

Phishing Subjects

Lists identified phishing subjects.

Reference Set

Whitelisted Email Admins

Lists email addresses within an organization that has been whitelisted to have certain permissions.

Related Documentation