Step zero of many, many attacks today begins with a phishing email. What if we could detect phishing attacks and head them off before the user clicks on that fatal link or opens that malicious attachment? Talk about “nipping it in the bud”.
But where would you start – short of scanning every inbox – all the time or hooking into the synchronous mail flow which isn’t an option when your Exchange server is in the Office 365 cloud?
The answer is the Message Tracking log in Exchange. This log is available both in on-prem Exchange and with Exchange Online in the Office 365 cloud.
TechNet describes the message tracking log as “a detailed record of all activity as mail flows through the transport pipeline on Mailbox servers and Edge Transport servers. You can use message tracking for message forensics, mail flow analysis, reporting, and troubleshooting.”
Message tracking logs include information about the client, servers, sender, recipients, message subject and more. This is valuable information if you can access it and know how to mine it to detect likely phishing email. One of the most obvious things to do is compare sender and server data against threat intel lists, but that’s just the start. What about looking at quantity of emails from the sender to different recipients, prior engagement from the recipient(s) and so on?
In this real training for free webinar, we will:
1) Show you the format message tracking logs
2) How to get the message tracking logs from Office 365 using PowerShell’s Get-MessageTrackingLog cmdlet
3) A list of checks to perform against message tracking events to detect phishing emails
4) Even how to move suspect emails to a sand box where you can use analysis tools like PhishTank, ThreatGRID, OpenDNS
5) Remove copies of phishing email from other recipients
6) How to automatically do everything mentioned above, with zero analyst intervention.
Quarantining email in Office 365 the default way has been described as “insanely slow”, so you’ll also be interested to see the refactored way our sponsor LogRhythm does it in their new open source Phishing Intelligence Engine (PIE).
PIE is an open-source PowerShell framework focused on phishing attack detection and response to your organization. Built around Office365 with the goal of expanding into on premise exchange in the near future, PIE continuously evaluates Message Trace logs for malicious content and dynamically responds as threats are identified or emails are reported.
The PIE framework consists of multiple PowerShell scripts that work together with the LogRhythm TLM Platform to automate detection and response to phishing cyberattacks. These scripts can be used with or without LogRhythm. While the PIE framework can be used without LogRhythm, working together provides an automated solution leveraging commercial or opensource sandboxing for threat validation.
Please join us for this technical and practical security event.