-1

Recently my organisation has been flooded with phishing e-mails with different approaches: pretending to be Reddit or LinkedIn information about a new follower or package delivery status/problems, etc.

Every malicious e-mail is delivered from a different domain, they contain slightly different message body and subject, and various links.

I suspect this campaign is created with some kind of automated tool (automated domain registration, template e-mail with parameters..)

Different e-mail sender addresses, IP's and headers make it difficult to block on the e-mail server side. So I'm trying to find another solution to block this. For example, to block links these e-mails at the web filter level.

What I see similar in every e-mail is links with PHP script and two parameters: utm_source and utm_content

http://[domain1.com]/[some-script.php]?utm_source=1&utm_content=510ad2e
http://[domain2.com]/wp-content/uploads/2021/[some-script.php]?utm_source=483edc7a&utm_content=e1ed
http://[domain3.com]/[some-script.php]?utm_source=dc3abe0&utm_content=f7a642

It still isn't a strong indicator. I think many legitimate links can also have these two parameters, but it's a start.

Does anyone know the tools that this campaign created with, or maybe some common parameters and functions it can indicate to be blocked (both on e-mail server level or web filter level)?

What common e-mail body or headers indicators can I filter on?

deevee
  • 353
  • 1
  • 3
  • 10
  • All those links are not HTTPS. Is that relevant? – schroeder Feb 11 '22 at 11:27
  • As far as I see yes, most of them are not https. But it's also not very strong indicator to block I guess – deevee Feb 11 '22 at 12:06
  • That's a ***very*** good indicator to block... – schroeder Feb 11 '22 at 12:51
  • You ask what to filter on, but then can't provide any details about the body or header. You provide no details except for the URLs, then ask what tool was used to create the cross-domain, multi-subject campaign (and only assuming that it's a single threat actor and a single tool and a single campaign). With what you've given us, we can only guess. And since you have a security provider, you need to work with *them* to devise a proper filter. – schroeder Feb 11 '22 at 12:58
  • Ok, sorry for not providing enough info except few common things I noticed. It's easy to say work with your provider - support companies also fail in such a detailed and changing problem, that's why I posted this question here searching for more community help, maybe find another one's facing same issue. Dissapointing of you closing this question and preventing other community members giving other answers, but anyway thanks for your time – deevee Feb 11 '22 at 15:14
  • Oh and the questions was not what to filter exactly but does anyone know tools it could have been created with so to search for some more patterns or indicators.. – deevee Feb 11 '22 at 15:16
  • And, as I said, if you could provide ***any*** details, then maybe someone could answer you. As the notice clearly says, if you add details, we can look at reopening it. All you have done is to bold the questions. – schroeder Feb 11 '22 at 17:13
  • For example, there is absolutely nothing you have provided that would lead anyone to conclude that it is anything but several different actors and campaigns. It's only your supposition that it is a single actor (and tool) that might be blocked. So, add some details. – schroeder Feb 11 '22 at 17:15
  • Your vendor will have access to the actual emails and will be able to divine the commonalities. – schroeder Feb 11 '22 at 17:31
  • So if you could define WHAT details you think we need to look into.. Which headers, maybe some specific mail parameters? We have full emails..There seem to be no more commonalities than e-mail template and links parametrs, as I’ve written already – deevee Feb 11 '22 at 19:34
  • And yeah I just bolded questions bc you seem not to understood it, maybe it was unclear. I asked what more indicators to look for. Strange that security expert as you seem to be just goes with an answer like we should go buy something or send it to someone. Anyways if you are not to add anything slightly more helpful thanks for your time – deevee Feb 11 '22 at 19:40
  • You have provided ***zero*** details. You've told us what's different, but not what's common. That's like saying "we're getting emails". Since you have ***purchased*** tools, and you don't know what details matter, I'm telling you to seek help from the people you've paid to help you and who actually have access to the emails. There is nothing strange in that suggestion. I'm a phishing expert who made the world's most advanced phishing engine and pioneered many features now common in email filters. I'm telling you that you have offered nothing for me to help you. – schroeder Feb 12 '22 at 00:07

1 Answers1

1

utm_ is not a start since that's too common to use as a differentiator.

And you have not provided nearly enough detail to determine which tool might have been used to create the emails.

The simplest method is to search the Subject field for "LinkedIn" and compare it to the sender domain. If the subject mentions "LinkedIn" and the sender is not LinkedIn, then block. Same for Reddit and shipping companies.

But frankly, it sounds like you need to get a commercial email security tool. There are lots of factors to consider, and you will end up trying to reinvent the wheel if you do it on your own.

I don't normally suggest that people should just buy their way to a solution, but having designed my own email security filters, and having procured commercial solutions, this is one area where you will end up saving a ton of time, avoiding headaches, and ultimately getting a better outcome if you go commercial.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thanks for answer! The problem is we already have email servers with commercial security tools with many automated as also self designed filters - most of these mails pass the checks and gets delivered to recipients. We also have web filtering proxy servers (with automated scanning definitions and also self designed rules) in which half of these links gets verified as OK (some are already blocked by outsourced lists). I obviously cannot post all email headers to give more info. This campaign changes domains, email templates which makes is hard to find common indicator to block – deevee Feb 11 '22 at 12:04
  • ... ok ... then you have a far bigger and more nuanced problem than can be tackled in a Q&A site and with only the details you (can) provide. You need to work with your email security providers to find a solution. – schroeder Feb 11 '22 at 12:52