Phishing Playbook Building PreRequisites
Read Inbox - Email Connection
There are 3 types of email servers:
Exchange
Enable Exchange account with app password
Login to your Outlook on the web
Click on your Profile icon on the top right and then My Microsoft Account
Switch to Security
Select Advanced Security Options
Under App passwords, select Create a new app password. A new app password is generated and appears on your screen.
GSuite
Watch demo - How to connect your IMAP server to Devo SOAR
Enable Google account with app password
Login to your Gmail
Click on Settings icon on the top right and then See all Settings
Switch to Forwarding and POP/IMAP
Enable IMAP from IMAP Access
Save Changes and come back to your Inbox
Now, open your profile and Manage your Google Account
Switch to Security
Scroll down to Signing into Google and click on App Passwords
Generate a new App password
IMAP
For custom email server provider, follow as per their IMAP instructions.
Analyze URL / Attachments - Tools
VirusTotal
Sign up to VirusTotal website and get API key.
Watch demo - How to Connect VirusTotal to Devo SOAR
Hybrid Analysis
Sign up to HybridAnalysis website and get API key.
Analyze Headers - Tools
MXToolBox
Sign up to MXToolBox website and get API key.
Analyze Urgency words in Subject / Body - Custom List
As of now, we can manually modify the following custom lists
phishing_common_attack_subject_lines
- Used in subject analysisphishing_urgency_word_list
- Used in body analysis
Output - Send Email - Connection
Exchange / GSuite / SMTP
Watch demo - How to connect your SMTP server to Devo SOAR
Follow SMTP setup instructions similar to IMAP instructions.
This is required in order to send out the final phishing analysis report via email.
Output - Case Creation
Case Management Integration
Right now, we can use System Integration Connection with Default case type
Other Connections
If asked for connection elsewhere (say in module), use the system generation integration connection.
[Testing] Setting up Inbox with Phishing Emails
Case 1: Direct emails
Simply send out some emails from \<Attacker Email> to \<Your Phishing Inbox>
Vary emails with suspicious attachments, URLs, body & subject keywords
Case 2: EML attachments
Send emails from \<Attacker Email> to \<Victim Inbox>
Download the .eml file for that email
Send email from \<Victim Inbox> to \<Your Phishing Inbox> with original .eml attached
Again, vary emails for different phishing attack scenarios