Step 1.2 - Investigation of Phishing attack

Goal

Demonstrate an investigation of the Phishing attack on each of the Office 365 users.

Show Harmony Email & Collaboration analysis and response to each event.

Discussion points

  • Block sophisticated phishing attacks such as social engineering, Impersonation attempts and BEC-based threats using Harmony Email & Collaboration SmartPhish and ThreatCloud platforms.

  • Static and dynamic machine learning inspection in real-time that improves phishing detection accuracy and reduces false positives.

Phishing attack investigation

Instructions

Step

Instructions

1

Click on the Phishing Events view.

2

Review the existing events:

3

Click on the email in the event description to view user information, metadata, internal and external collaborators:

4

Return to the events filter and press on the Email subject in the event details to analyze the event further:

5

Start from the Email Profile section to better understand the email information, format and status.

The following information is available:

  1. From and all Recipients – Who is the sender and who received the message.

  2. Mail Subject and Content Type – Content type can show if this is plain text that has lower risk or HTML with higher risk since links are clickable.

  3. Email received date and time

  4. Is Deleted – To understand if this email still poses a risk and users have access to the files. If it is deleted, it means users can no longer access the email.

    The deleted status will show “yes” if Harmony Email & Collaboration has acted on a message or if the user has deleted the message.

  5. User Aliases – shows all user aliases.

  6. Sender is external – Sender is from outside the organization, risk of phishing higher.

  7. Any recipient is external – indicates that there are multiple recipients and not all internal.

  • You can review additional details like raw headers and body as well as download the mail for analysis.

  • This section allows manually quarantining or restoring from quarantine for quarantine emails.

6

The second analysis part will be the Security Stack, where you can view all the Check Point inspection services verdicts. You will only see verdicts for services that inspected the email

  • Below is an example for Anti-Phishing detection:

  • Anti-Phishing inspection service allows you to interact with the HEC portal and to provide additional information for the Machine learning models. The information provided will increase the accuracy of the Anti-Phishing inspection service

7

Live Event log – shows all the relevant logs regarding this event