Document toolboxDocument toolbox

Phishing Playbook Building PreRequisites

Read Inbox - Email Connection

There are 3 types of email servers:

Exchange

Enable Exchange account with app password

  1. Login to your Outlook on the web

  2. Click on your Profile icon on the top right and then My Microsoft Account

  3. Switch to Security

  4. Select Advanced Security Options

  5. Under App passwords, select Create a new app password. A new app password is generated and appears on your screen.

GSuite

Enable Google account with app password

  1. Login to your Gmail

  2. Click on Settings icon on the top right and then See all Settings

  3. Switch to Forwarding and POP/IMAP

  4. Enable IMAP from IMAP Access

  5. Save Changes and come back to your Inbox

  6. Now, open your profile and Manage your Google Account

  7. Switch to Security

  8. Scroll down to Signing into Google and click on App Passwords

  9. Generate a new App password

IMAP

For custom email server provider, follow as per their IMAP instructions.

Analyze URL / Attachments - Tools

VirusTotal

Sign up to VirusTotal website and get API key.

Hybrid Analysis

Sign up to HybridAnalysis website and get API key.

Analyze Headers - Tools

MXToolBox

Sign up to MXToolBox website and get API key.

Analyze Urgency words in Subject / Body - Custom List

As of now, we can manually modify the following custom lists

  1. phishing_common_attack_subject_lines - Used in subject analysis

  2. phishing_urgency_word_list - Used in body analysis

Output - Send Email - Connection

Exchange / GSuite / SMTP

Follow SMTP setup instructions similar to IMAP instructions.
This is required in order to send out the final phishing analysis report via email.

Output - Case Creation

Case Management Integration

Right now, we can use System Integration Connection with Default case type

Other Connections

If asked for connection elsewhere (say in module), use the system generation integration connection.

[Testing] Setting up Inbox with Phishing Emails

Case 1: Direct emails

  1. Simply send out some emails from \<Attacker Email> to \<Your Phishing Inbox>

  2. Vary emails with suspicious attachments, URLs, body & subject keywords

Case 2: EML attachments

  1. Send emails from \<Attacker Email> to \<Victim Inbox>

  2. Download the .eml file for that email

  3. Send email from \<Victim Inbox> to \<Your Phishing Inbox> with original .eml attached

  4. Again, vary emails for different phishing attack scenarios