Process: Phishing Incident Investigation
Suspicious emails are forwarded or sent as an attachment to the phishing@mariecurie.org.uk mailbox, which is monitored by Cybersecurity Operations.
The email is then automatically forwarded to the Cyber Security portal (Freshservice) where it is picked up by an automator and a incident ticket is created.
If the email hasn't been sent as an attachment, then get any relevant details from the user and download the email from the Microsoft 365 Defender portal, choose Threat Management > Explorer > Malware. Then follow the steps below
When an email is received, the following actions should be taken.
-
Create an incident in ServiceNow and assign to self.
-
Review the email to determine if it potentially phishing or spam. Avoid clicking links or opening attachments at this time.
-
If the email seems suspicious, then save the email to an offline folder on your local machine and then upload the email to the Anyrun Malware Analysis (sandbox) here: ANY.RUN - Interactive Online Malware Sandbox (Login details are in Bitwarden). Perform email analysis in the sandbox, characteristics (sender, subject, part of subject, attachment, URL, etc.) and understand intention. KB on using Any.run to analyse a file/URL
-
Perform header analysis following this KB. Cyber Security - How to check if an email has been spoofed | ServiceNow (service-now.com)
-
If the email is determined to be malicious: Run a report using O365 Defender Explorer Explorer - Microsoft 365 security for all incoming emails to other MC users so we can see if there are other recipients of the email. KB on Email Analysis on O365 Defender Explorer
- If the email has been delivered to other users, purge or soft delete the email from the users mailbox. KB Cyber Security - Email Purge in O365 Security Centre | ServiceNow (service-now.com).
-
Prevent more incoming emails to users by creating a spam filter rule on Exchange Admin Centre to quarantine the incoming emails that meet the criteria, e.g. sender, domain, subject. We have a "Block Individual Email Address" or "Block Domain List" transport rule in the Exchange Admin Centre where sender email or domain can be added to be blocked. If needed new rule can be created to address the phishing pattern i.e. subject, attachment etc. This takes around 40 minutes to kick. KB Mail Flow (Transport) Rule in Exchange
- If you find any suspicious IOC's while doing investigation via Anyrun, then Block those IOC's in Defender -> Endpoints-> Indicators : https://security.microsoft.com/securitysettings/endpoints/custom_ti_indicators?childviewid=url&tid=36d575c3-7153-4aa2-be33-f562de6d63d9
- Update the blocked domains and IOC's in 'Exchange - Block Lists' excel sheet on SharePoint 'Marie Curie\Cyber Security (External) - Documents\General'. Cyber Security (External) - Home (sharepoint.com)
- Once done with the analysis and prevention steps, then send an email to the user - closure or further invention if needed (In case of known Volunteers).