circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

User Reported Phishing Investigation

User Reported Phishing investigation analyzes the probability of a suspected phishing attempt from a sender domain. If the email is likely phishing, this playbook investigates it. If not, the playbook stops. User-Reported Phishing Investigation leverages O365_Auth_Fetch_ID, Analyze Body and Header, Get SPAM Score, and Set URL Threat Score sub-playbooks to reassess focused elements fed by For Each action block from the User-Reported Phishing parent playbook.

1. Trigger - retrieves the information from the For Each action block from the User-Reported Phishing parent playbook: the message_id, incident_id, subject and initiator of email, the server used to send an email, email's sender and receiver to continue the investigation.

2. Script - retrieves the sender email address from the User-Reported Phishing parent playbook and runs the Python script to give the sender_domain as an output.

3. If... Then - applies:

3.1. a not equal to (!==) operator to check if the sender_domain is from Logpoint or external sources. If from external sources, the result is fed to the Annotation action block. Else fed to the Playbook(O365_Auth_Fetch_ID) action block.

or

3.2. a conditional operatorto check the sender_domain from Logpoint or an external source. If the domain is from an external source, it feeds the result to the Annotation action block. Else provides it to the Playbook action block.

4. Annotation - informs the reported email is from an external source and ends the investigation and the playbook.

5. Playbook - runs the sub-playbook O365_Auth_Fetch_ID that uses Microsoft's API to fetch the message ID from the message and Microsoft's Graph API to retrieve the access token used for authenticating the suspected email.

6. If... Then - applies an equal (=) operator to check if the O365_Auth_Fetch_ID sub-playbook successfully fetched the message ID. If not fetched, a Case Item action block is called. Else the message ID is passed to the Api action block.

7. Case Item - retrieves the sender, mid and sever of an email and creates a case affirming the message was not found on Office 365 and further analysis cannot be made. It can be due to the message being deleted, quarantined or other reasons.

8. API - calls Freshdesk to create a ticket for no message ID. The ticket includes relevant information such as subject, description, priority and status.

9. Status - sets the case status closed as message ID was not found.

10. API - calls Office365 Outlook Mail and uses message ID with an authentication token to get the Full_Headers of the suspected email to retrieve the sender, receiver, route and timestamp metadata.

11. Api - calls Office365 Outlook Mail and uses message ID with an authentication token to get the MIME Content of the suspected email: plain text, HTML content, attached image, video or application file. This action block does not take input from the previous Api action block.

12. If... Then - applies an equal (=) operator to check if the email body content is missing from Full_Header.

13. Script - if the body content is not missing, it extracts content from Full_Header and outputs the email's headers and body.

14. Script - the body content is missing, it extracts content from MIME Content and outputs the email's headers and body.

15. Script - consolidates the output from two connecting Script action blocks and gives consolidated headers and body along with the subject of the email and email_count as an output.

16. Playbook - runs Analyze Body and Headers to analyze consolidated headers and body of the email.

17. Playbook runs Get SPAM Score retrieves the email's metadata to analyze the SPAM score.

18. If... Then - applies an equal (=) operator to check if any URLs were extracted from the email body content.

19. Filter - filters the URLs by converging them into JSON format if there are URLs.

20. For Each - loops the filter results (converged URLs) from the Filter action block through each URL and feeds them into the sub-playbook.

21. Playbook - runs the Set URL Threat Score to check suspicious URLs, set the severity of malicious URLs, and get the verdict of the URLs.

22. Filter - retrieves the Foreach result from For Each action block and filters the verdict and URLs from the sub-playbook(s) looped by For Each action block.

23. Format - retrieves No URLs from Analyze Body and Headers sub-playbook. It also retrieves URLs verdict results from Filter action block. It change the URLs into key-value format.

24. Script - retrieves formatted URLs verdict data and consolidated email body, runs Python script to give a list of URLs and email body.

25. Query - retrieves sender and subject of emails from Analyze Body and Headers sub-playbook and runs the query using the distinct_count command to locates receivers of an email from same sender with same subject in last seven days.

26. If... Then - applies an equal (=) operator to check if the receiver count result from Query action block is equal to zero.

27. Parameters - if the receiver count result is zero, the action block acknowledges the reported email was more than seven days old and gives a single recipient. It set Find_Recipients as global parameter.

28. Filter - If the receiver count result is not zero, the action block applies JsonPath Filter to extract the number of receiver counts which could be one or more.

29. Parameters - retrieves the number of receiver count (Find_Recipients) and sets it as a global parameter.

30. Format - retrieves all the Find_Recipients and changes the format of Recipients Found into key-value.

31. If... Then - applies a greater than(<) operator to check if the number of Find_Recipients is greater than one.

32. Status - if the Find_Recipients is greater than one, the action block increments the case severity by 10.

33. Status - if the Find_Recipients is not greater than one, the action block provides a new severity by retrieving the case severity 10 from previous Status action block.

34. Format - extracts incident_id, SPAM_result, reported_by and email_count from the sub-playbooks and builds an HTML body from them that ticketing software can read.

35. API - calls the external ticket software Freshdesk and creates a new ticket with formatted ticket body from Format action block.

36. Script -retrieves the ticket from Api action block and runs a Python script to get ticket ID.

37. API - calls Freshdesk to add the email body as a note to the ticket. If the email body is not available, the action block adds no email body as the note.

End - maps the mentioned parameters from the playbook whose values can be seen from Results in Monitoring. The values are further analyzed by the security team. Likewise, the mentioned paramerters are transferred to the User-Reported Phishing parent playbook.

Last updated

Was this helpful?