Phishing Playbook Building PreRequisites
Read Inbox - Email Connection
There are 3 types of email servers:
Enable Exchange account with app password
- Login to your Outlook on the web
- Click on your Profile icon on the top right and then My Microsoft Account
- Switch to Security
- Select Advanced Security Options
- Under App passwords, select Create a new app password. A new app password is generated and appears on your screen.
- Watch demo - How to connect your IMAP server to Devo SOAR
Enable Google account with app password
- Login to your Gmail
- Click on Settings icon on the top right and then See all Settings
- Switch to Forwarding and POP/IMAP
- Enable IMAP from IMAP Access
- Save Changes and come back to your Inbox
- Now, open your profile and Manage your Google Account
- Switch to Security
- Scroll down to Signing into Google and click on App Passwords
- Generate a new App password
For custom email server provider, follow as per their IMAP instructions.
Analyze URL / Attachments - Tools
Sign up to VirusTotal website and get API key.
- Watch demo - How to Connect VirusTotal to Devo SOAR
Sign up to HybridAnalysis website and get API key.
Analyze Headers - Tools
Sign up to MXToolBox website and get API key.
Analyze Urgency words in Subject / Body - Custom List
As of now, we can manually modify the following custom lists
phishing_common_attack_subject_lines- Used in subject analysis
phishing_urgency_word_list- Used in body analysis
Output - Send Email - Connection
Exchange / GSuite / SMTP
- Watch demo - How to connect your SMTP server to Devo SOAR
Follow SMTP setup instructions similar to IMAP instructions.
This is required in order to send out the final phishing analysis report via email.
Output - Case Creation
Case Management Integration
Right now, we can use System Integration Connection with Default case type
If asked for connection elsewhere (say in module), use the system generation integration connection.
[Testing] Setting up Inbox with Phishing Emails
Case 1: Direct emails
- Simply send out some emails from <Attacker Email> to <Your Phishing Inbox>
- Vary emails with suspicious attachments, URLs, body & subject keywords
Case 2: EML attachments
- Send emails from <Attacker Email> to <Victim Inbox>
- Download the .eml file for that email
- Send email from <Victim Inbox> to <Your Phishing Inbox> with original .eml attached
- Again, vary emails for different phishing attack scenarios
Updated 5 months ago