Spear Phishing: What Can you do?

I have seen a sharp rise in the number of spear phishing attempts my clients are subjected to. I’m sure this trend will continue. Of course our best line of defence when protecting our clients is user education. We can of course try and make things easier for them.

Our most recent example was quite lacklustre by comparison, they hadn’t even bothered to try and find a similar address, just some random Comcast account and setting the ‘From’ name to that of the Executive they were trying to impersonate.

I decided that to counter this we can tag the subject of any such email and then also generate an incident response within Office 365.

Using Office 365 Transport Rules, this is very easy to implement.

In PowerShell we can define our Directors Names. We can also define our Incident Response Content.

$directors = "Robert Pearman"
$incidentContent = @(
"Sender"
"Recipients"
"Subject"
"Cc"
"Bcc"
"Severity"
"Override"
"RuleDetections"
"FalsePositive"
"DataClassifications"
"IdMatch"
"AttachOriginalMail"
)

Next we can create the Rule.

New-TransportRule "Company Executive Spoof Transport Rule" -FromScope NotInOrganization -HeaderContainsMessageHeader From -HeaderContainsWords $directors -PrependSubject "External Email:" -GenerateIncidentReport security@y38.info -IncidentReportContent $incidentContent

Now, when an email is received and the From address matches our Directors Name, our support team will get an incident response, and the recipient will have the subject modified.

External Email

Report

You might think – well we could just delete them or set the subject to !!FRAUD FRAUD FRAUD!!!!, however there may be legitimate reasons a recipient gets an email like this with a directors name, and from experience I know people can get quite put out if you start accusing them of fraud. For example, your director may be named John Smith, or he may be emailing his PA from his personal account, we wont go into reasons why.

About Robert Pearman
Robert Pearman is a UK based Small Business Server enthusiast. He has been working within the SMB IT Industry for what feels like forever. Robert likes Piña colada and taking walks in the rain, on occasion he also enjoys writing about Small Business Technology like Windows Server Essentials or more recently writing PowerShell Scripts. If you're in trouble, and you can find him, maybe you can ask him a question.

5 Responses to Spear Phishing: What Can you do?

  1. James H says:

    Great idea Robert. Just wondering how would you modify the script for multiple directors? Something like this using a comma separated list?

    $directors = “Dan Druff”, “Barbara Blacksheep”, “Jim Nastics”

    (using amusing fictional directors names)…

  2. James H says:

    Thanks Robert.

  3. amybabinchak says:

    My god! Why didn’t I think of this. Brilliant

Leave a reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: