Professional Documents
Culture Documents
Phishing Playbook
Phishing Playbook
• SIEM Alert - Collecting all necessary information from the SIEM events.
• User / Customer - Ask the user to send the suspicious email as an attached file mail.
• Alert Name
• Event Time
• Sender IP
• Sender Email Address
• Recipient Email Address
• Subject
• Attachment name and file type
• How many recipients got this mail?
• Action (Blocked/Delivered/Spam)
• Vendor
• Event Time
• Sender IP
• Sender Email Address
• Recipient Email Address
• How many recipients got this mail?
• What is the Subject?
• Does the mail contain an attachment?
• Does the content contain any links?
• Does the content look general or dedicated to a specific person?
• Action (Blocked/Delivered/Spam)
• Check the message header
External Data Gathering:
Collecting all necessary information from external open-source intelligence.
Collect information about the sender email address, domain & IP from open-source
intelligence tools:
• whois.domaintools.com
• cymon.io
• otx.alienvault.com
• abuseipdb.com
• urlscan.io
In case of attachment, please check the file hash in the following resources:
• virustotal.com
• hybrid-analysis.com
• joesandbox.com
In case of suspicious links on content:
• Check the suspicious link on www.browserling.com
• Document your findings.
Domain Checking:
• Who is the owner?
• Does the domain in a blacklist?
• Does the mail was hacked?
Escalation:
If the email contains a phishing link and/or malicious attachment which was not remediated by O365,
please escalate to the customer and recommend the following:
• Block or blacklist the specific sender and/or the domain from the O365 admin console
• Delete the email permanently from the mailbox
• Check with the customer if the malicious file is downloaded to the computer
o If the file is downloaded to the computer, recommend customer to delete the file
and run an anti-virus scan
To L2 Analyst: