Website and email security assessments

Interviewer's Favourite question part 3 (Email Phishing Analysis) When a suspicious email is reported to security team, what analysis will you perform as a SOC Analyst:- 1. Sender and Domain Analysis -Verify the Sender's Email ID and Domain. -Check the domain reputation using tools like: VirusTotal MXToolbox IPVoid -Analyze domain details: Registration date Owner information 2. Subject Line Analysis -Examine the subject line to determine the intent of the email: Phishing Social engineering Promotional content 3. Email Body Analysis -Look for Indicators of Compromise (IOCs), such as: Urgency Tactics: Example: "Reset your account within an hour, or it will be disabled." Phishing URLs: Embedded URLs (e.g., within an "unsubscribe" button) designed to mislead users. -Check the reputation of such URLs using trusted tools. Attachments: Analyze suspicious attachments in a sandbox to detect malicious behavior. Avoid uploading attachments to public repositories like VirusTotal to prevent attackers from detecting the investigation and potentially bypassing detection mechanisms. 4. Email Header Analysis -Obtain the email header from the email properties. Perform header analysis: Use MXToolbox: Select "Header Analysis." Paste the header and submit for a detailed report. Verify SPF, DKIM, and DMARC statuses. 5. SPF, DKIM, and DMARC Verification SPF (Sender Policy Framework) -Authentication protocol specifying which IP addresses are authorized to send emails for a domain. -SPF Alignment: If the "From" field matches the "Return-Path" field, SPF alignment passes; otherwise, it fails. -SPF Authentication: If the sender's IP is authorized to send on behalf of the domain, SPF authentication passes; otherwise, it fails. DKIM (DomainKeys Identified Mail) -Uses a digital signature to verify the sender’s domain and ensure email integrity. -DKIM Alignment: If the "DKIM Signature" domain matches the "From" domain, DKIM alignment passes; otherwise, it fails. -DKIM Authentication: If the DKIM signature is invalid, the email may have been modified during transit. DMARC (Domain-based Message Authentication, Reporting & Conformance) Builds on SPF and DKIM. -DMARC Policies: None: If SPF and DKIM both pass, the email is delivered to the inbox. Quarantine: If either SPF or DKIM fails, the email goes to the spam/junk folder. Reject: If both SPF and DKIM fail, the email is dropped/rejected. 6. Mail Gateway Analysis Review fields like: From To Return-Path Subject Line Message ID Verify how many users received the email from the same domain/email ID. Export email details for documentation. 7. Reporting and Mitigation Document: Analysis details Findings IOCs (Indicators of Compromise) GTI (Global Threat Intelligence) details Share the findings with relevant teams. Coordinate with Network/IT/Admin teams to: Block the malicious email, domain, IP, and hash.

What is Email Phishing Analysis? When a suspicious email is reported to security team, what analysis will you perform as a SOC Analyst:- 1. Sender and Domain Analysis -Verify the Sender's Email ID and Domain. -Check the domain reputation using tools like: VirusTotal MXToolbox IPVoid -Analyze domain details: Registration date Owner information 2. Subject Line Analysis -Examine the subject line to determine the intent of the email: Phishing Social engineering Promotional content 3. Email Body Analysis -Look for Indicators of Compromise (IOCs), such as: Urgency Tactics: Example: "Reset your account within an hour, or it will be disabled." Phishing URLs: Embedded URLs (e.g., within an "unsubscribe" button) designed to mislead users. -Check the reputation of such URLs using trusted tools. Attachments: Analyze suspicious attachments in a sandbox to detect malicious behavior. Avoid uploading attachments to public repositories like VirusTotal to prevent attackers from detecting the investigation and potentially bypassing detection mechanisms. 4. Email Header Analysis -Obtain the email header from the email properties. Perform header analysis: Use MXToolbox: Select "Header Analysis." Paste the header and submit for a detailed report. Verify SPF, DKIM, and DMARC statuses. 5. SPF, DKIM, and DMARC Verification SPF (Sender Policy Framework) -Authentication protocol specifying which IP addresses are authorized to send emails for a domain. -SPF Alignment: If the "From" field matches the "Return-Path" field, SPF alignment passes; otherwise, it fails. -SPF Authentication: If the sender's IP is authorized to send on behalf of the domain, SPF authentication passes; otherwise, it fails. DKIM (DomainKeys Identified Mail) -Uses a digital signature to verify the sender’s domain and ensure email integrity. -DKIM Alignment: If the "DKIM Signature" domain matches the "From" domain, DKIM alignment passes; otherwise, it fails. -DKIM Authentication: If the DKIM signature is invalid, the email may have been modified during transit. DMARC (Domain-based Message Authentication, Reporting & Conformance) Builds on SPF and DKIM. -DMARC Policies: None: If SPF and DKIM both pass, the email is delivered to the inbox. Quarantine: If either SPF or DKIM fails, the email goes to the spam/junk folder. Reject: If both SPF and DKIM fail, the email is dropped/rejected. 6. Mail Gateway Analysis Review fields like: From To Return-Path Subject Line Message ID Verify how many users received the email from the same domain/email ID. Export email details for documentation. 7. Reporting and Mitigation Document: Analysis details Findings IOCs (Indicators of Compromise) GTI (Global Threat Intelligence) details Share the findings with relevant teams. Coordinate with Network/IT/Admin teams to: Block the malicious email, domain, IP, and hash.

[Email Security - Falling at first hurdles?] Email Security failures I am still seeing: - DMARC still in p=none with no reporting (how will you progress to reject without reporting?) - DMARC on .onmicrosoft[.]com domains -> these may be acting as SMTP proxy domains. - Email Encryption - Not empowering users to be proactive with malicious emails with user tips (are you really getting your ROI on security awareness training?) - Improper Scoping of Defender for Office Policies to groups/users instead of domains such as Safe Attachment policies when no further fine-graining policies are applied - Not extending Domain impersonation to all domains you own + any partners/suppliers/subsidiaries - Not using user impersonation for VIP users - Not blocking Email AutoForwarding (common Persistence technique - there are countless ways to limit/block this in #Exchange or MDO) - Not using TABL to block abused TLDs (both domains and URLs) - Using complicated rule exceptions instead of a SecOps Mailboxes for security Teams - Doubling up on Email Gateways needlessly and watching them both not work in their best capacity (journalling is honestly a valid use-case for dual gateways) - Allowing domains to bypass anti-spam instead of using an Exchange Transport rule - Not checking your homework with Config Analyzer Email security can be intimidating in defender, with many buttons and policies you can enable (I encourage you to check out these mindmaps https://lnkd.in/eJ3j8UQk by James Agombar). Chances are if malicious emails are getting in/out then there is still hardening that can be done. This is not a complete list of things you can do, there is plenty of things you can add on top but please please don't forget the basics such as DMARC. Every time I see a major breach in the news I always check DMARC and 7/10 times its not correctly configured (causation or correlation? will never know) and 99% of the time they haven't configured DMARC for their MOREA domain which may be acting as the #SMTP proxy address. Theres also the more debatable MDO controls such as dynamic delivery...personally think its best left off as it can be a bad UX and bad experience for a #SOC responder trying to purge emails. I also think allowing End users to control their own safe senders is a SOC responder nightmare as it overrides admin controls. With collaboration now extending to other areas such as Teams, Slacks there is yet another set of policies and controls to enable.... maybe I'll talk about those in another post. #Purview #MDO #Defender #Phish #Security #Cybersecurity #DefenceInDepth