Client Receives a Suspicious/Phishing Email

How to respond to phishing or to a suspicious email

Problem

The email may contain malware or a link to a malicious site that tricks the client into disclosing personal information.

The longer a malevolent website stays online, the more victims it will create. Reporting this website is one of the most important steps the Helpline can take.

Solution

1. Reply to the client using the template in Article #57: Phishing - First Email to respond to their concerns and ask for additional information that may be missing.

   Be sure to clearly state the email should not be opened, nor a linked site visited.

   NOTE: If the client has already visited a site, or opened an attachment, we should increase the urgency and impact of the case.

2. After receiving the headers and full email source from the client in Step 1, analyze the following:

   • Use this header analysis tool. Did the headers pass SPF, DKIM, and DMARC authentication?

   • If only SPF and/or DKIM are authenticated, check the headers manually. If at least one of the following is true, we can consider the e-mail as not spoofed:
     • It passes SPF authentication, and SPF has identifier alignment (the domain portion of the envelope from address is aligned with the domain found in the header from address)
     • It passes DKIM authentication, and DKIM has identifier alignment (the domain value in the d= field of the DKIM-signature in the email header is aligned with the domain found in the header from address)

   • Where is the email coming from? From what country, ISP, IP address?

   • Is the IP address part of the Tor network? You can check in the Tor Atlas or in this list

   • Are there any links in the email? If so, see Article #258: Advanced Threats Triage Workflow

   • Are there any attachments? If so, see Article #258: Advanced Threats Triage Workflow

   • If the suspicious email was identified as Gmail scam, please read these instructions

3. Once you have gathered all the information you need on the phishing message, search for the detected indicators of compromise on MISP, following the instructions in Article #354: Search in CiviCERT’s MISP Instance.

4. Communicate to the client the conclusions of your investigation, and if necessary, report the website.

5. Add the event to MISP following the instructions in Article #355: How to Add an Event to CiviCERT’s MISP Instance.

   ---

Comments

• Use this infographic as a quick reference for the client to better understand phishing

• This EFF guide is also useful

• Another useful reference on phishing by Security without Borders
• • *

Related Articles

• Article #57: Phishing - First Email
• Article #209: Template - Phishing Link
• Article #219: Report and Disable Malicious C&C Server
• Article #281: How to Recognize Spear-Phishing and What to Do
• Article #354: Search in CiviCERT’s MISP Instance
• Article #355: How to Add an Event to CiviCERT’s MISP Instance