Step 1.1 - Investigation of Malware attack

Goal

Demonstrate an investigation of the Malware attack on each of the Office 365 users.

Show Harmony Email & Collaboration analysis and response to each event.

Discussion points

  • Check Point ThreatCloud, SmartPhish and Sandblast engines that block malicious messages, including attachments and malicious links before they reach users’ mailboxes.

  • Content Disarm and Reconstruction (Threat Extraction) that instantly delivers sanitized files to users.

  • Advanced Malware protection for cloud email and productivity suites without impacting business productivity.

Malware attack investigation

Instructions

Step

Instructions

1

Click on the Malware Events view.

2

Review the existing events:

3

Click on one of the Remediated event to analyze the event:

4

Start from the Email Profile section to better understand the email information, format and status.

The following information is available:

  1. Sender and all recipients – Who is the sender and who received the message.

  2. Mail subject and content type – Content type can show if this is plain text that has lower risk or HTML with higher risk.

  3. Email received date and time.

  4. Is Deleted – to understand if this email still poses a risk and users have access to the files. If it is deleted, it means users can no longer access the email.

    The deleted status will show “yes” if Harmony Email & Collaboration has acted on a message or if the user has deleted the message.

  5. You can review additional details like raw headers and body as well as download the mail for further analysis.

  6. This section allows manually quarantining or restoring from quarantine for quarantine emails as well.

5

Second analysis part will be the Security Stack,

Where you can view all the Check Point inspection services verdicts.

You will only see verdicts for services that inspected the email:

6

Click on the malicious files from this section or on any file from the Email attachments section will allow to further analyze the attachment detection results.

Note - Every file that is detected as malicious will be marked, and it is possible to further investigate files that are not detected as malicious. Information on every file can be further analyzed through the attachment info.

7

We will now analyze the malicious attachment file.

Best Practice - When performing analysis, you should right click and open in new tab, otherwise it will continue to use the same tab, which makes it harder to perform a wide range analysis.

8

Attachment Analysis shows different type of information including:

  1. Security stack – information on inspection service detection.

    1. From here you can press the View Report on the Threat Emulation detection to view the emulation report:

      1. Emulation report is only available to malicious files.

        1. Press the View Report and go through the threat emulation report to understand more about the Malware.

    2. Clicking on ‘Create Allow-List’ will create a exception for that specific file.

    3. Navigate to Settings > Anti-Malware Exceptions to review all the allowed files :

  2. Email recipients- all recipients that were supposed to receive or received the attachment.

  3. Live Event log – shows all the relevant logs regarding this attachment.

9

You can continue to review the event and related information.