Client Receives a Suspicious/Phishing Email
How to respond to phishing or to a suspicious email
The email may contain malware or a link to a malicious site that tricks the client into disclosing personal information.
The longer a malevolent website stays online, the more victims it will create. Reporting this website is one of the most important steps the Helpline can take.
Reply to the client using the template in Article #57: Phishing - First Email to respond to their concerns and ask for additional information that may be missing.
Be sure to clearly state the email should not be opened, nor a linked site visited.
NOTE: If the client has already visited a site, or opened an attachment, we should increase the urgency and impact of the case.
After receiving the headers and full email source from the client in Step 1, analyze the following:
Use this header analysis tool. Did the headers pass SPF, DKIM, and DMARC authentication?
- If only SPF and/or DKIM are authenticated, check the headers manually. If at least one of the following is true, we can consider the e-mail as not spoofed:
- It passes SPF authentication, and SPF has identifier alignment (the domain portion of the envelope from address is aligned with the domain found in the header from address)
- It passes DKIM authentication, and DKIM has identifier alignment (the domain value in the d= field of the DKIM-signature in the email header is aligned with the domain found in the header from address)
Where is the email coming from? From what country, ISP, IP address?
Is the IP address part of the Tor network? You can check in the Tor Atlas or in this list
Are there any links in the email? If so, see Article #258: Advanced Threats Triage Workflow
Are there any attachments? If so, see Article #258: Advanced Threats Triage Workflow
- If the suspicious email was identified as Gmail scam, please read these instructions
Once you have gathered all the information you need on the phishing message, search for the detected indicators of compromise on MISP, following the instructions in Article #354: Search in CiviCERT’s MISP Instance.
Communicate to the client the conclusions of your investigation, and if necessary, report the website.
Add the event to MISP following the instructions in Article #355: How to Add an Event to CiviCERT’s MISP Instance.
Use this infographic as a quick reference for the client to better understand phishing
- Another useful reference on phishing by Security without Borders
- Article #57: Phishing - First Email
- Article #209: Template - Phishing Link
- Article #219: Report and Disable Malicious C&C Server
- Article #281: How to Recognize Spear-Phishing and What to Do
- Article #354: Search in CiviCERT’s MISP Instance
- Article #355: How to Add an Event to CiviCERT’s MISP Instance