Analytics Story: Suspicious Emails

Date: 2020-01-27 ID: 2b1800dd-92f9-47ec-a981-fdf1351e5d55 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

Why it matters

It is a common practice for attackers of all types to leverage targeted spearphishing campaigns and mass mailers to deliver weaponized email messages and attachments. Fortunately, there are a number of ways to monitor email data in Splunk to detect suspicious content. Once a phishing message has been detected, the next steps are to answer the following questions:

  1. Which users have received this or a similar message in the past?
  2. When did the targeted campaign begin?
  3. Have any users interacted with the content of the messages (by downloading an attachment or clicking on a malicious URL)?This Analytic Story provides detection searches to identify suspicious emails, as well as contextual and investigative searches to help answer some of these questions.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email Attachments With Lots Of Spaces None Anomaly
Monitor Email For Brand Abuse None TTP
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
O365 Email Reported By Admin Found Malicious Phishing, Spearphishing Attachment, Spearphishing Link TTP
O365 Email Reported By User Found Malicious Phishing, Spearphishing Attachment, Spearphishing Link TTP
O365 Email Suspicious Behavior Alert Email Collection, Email Forwarding Rule TTP
O365 Threat Intelligence Suspicious Email Delivered Phishing, Spearphishing Attachment, Spearphishing Link Anomaly
O365 ZAP Activity Detection Phishing, Spearphishing Attachment, Spearphishing Link Anomaly
Suspicious Email - UBA Anomaly Phishing Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼

References

Source: GitHub | Version: 1