Phishing and Email

Use the IBM Security QRadar Phishing and Email Content Extension to closely monitor email in your network.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.

IBM Security QRadarPhishing and Email

IBM Security QRadar Phishing and Email Content Extension 1.2.1

The following list shows the building blocks that have been updated for performance optimization.
  • BB:BehaviorDefinition: External Recipient Host
  • BB:BehaviorDefinition: Potentially Hostile Recipient Host
  • BB:DeviceDefinition: Mail

The BB:CategoryDefinition: Mailbox Permission Added and BB:CategoryDefinition: Mailbox Permission Deleted building blocks have been removed.

Additional data elements are added to the Phishing Subjects reference set.

IBM Security QRadar Phishing and Email Content Extension 1.2.0

Several regex expression IDs are updated to avoid conflicts with other content extensions.

IBM Security QRadar Phishing and Email Content Extension 1.1.0

The following table shows the rules and building blocks that are new or changed in IBM Security QRadar Phishing and Email Content Extension 1.1.0.

Table 1. Rules and Building Blocks in IBM Security QRadar Phishing and Email Content Extension 1.1.0
Type Name Description
Building Block BB:CategoryDefinition: Mail Applications in Flows This Building Block triggers when communication with a Mail Application is detected.
Rule QNI : Email Attachment with Executable This rule triggers when an email flow is received containing attachments with executable file extensions.
Rule QNI : Email Attachment with Executable Hidden in Double File Extensions This rule triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable to bypass security services that block executable mail extensions. (e.g. virus.exe.txt, presentation.bat.pptx) It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executables, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file 'Report.doc.js', the operating system may display it as 'Report.doc'. (e.g. report.doc.js, newsletter.pdf.exe). Note: The Application property can be tuned.
Rule QNI : Email Received From Potentially Hostile Host This rule triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule QNI : High Inbound Emails Containing Attachments From External Host This rule triggers when an address outside the organization sends numerous emails containing attachments. This could indicate an attempt to deliver a malware by targeting a large number of recipients. Note: The threshold should be adapted to the size of the company
Rule QNI : Inbound Email with Suspicious Subject This rule triggers when a flow content includes an email subject that matches known suspicious subjects included in a Threat Intelligence feed. This could indicate spam or phishing. Note: The Phishing Subjects reference set is pre-populated with email subject examples and can be tuned with new discoveries.
Rule QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers This rule triggers when multiple sending servers send the same email subject in a period of time which may indicate spam or phishing. Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject.

The following table shows the saved search that is new in IBM Security QRadar Phishing and Email Content Extension 1.1.0.

Table 2. Saved Searches in IBM Security QRadar Phishing and Email Content Extension 1.1.0
Name Description
Emails with Suspicious Subjects This search aggregates mail events by their "MessageID", and filters for messages with subjects contained in the "Phishing Subjects" reference set.

(Back to top)

IBM Security QRadar Phishing and Email Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

The following table shows the rules and building blocks in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

Table 4. Rules and Building Blocks in IBM Security QRadar Phishing and Email Content Extension 1.0.0
Type Name Description
Building Block BB:BehaviorDefinition: External Originating Host Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients.
Note: Adapt the threshold to the size of your company.
Building Block BB:BehaviorDefinition: External Recipient Host Identifies recipient hosts that are not in the Corporate Email Domains reference set.
Note: The Corporate Email Domains reference set must be populated.
Building Block BB:BehaviorDefinition: Potentially Hostile Originating Host Identifies when an email comes from a malicious host. The host is malicious if the X-Force® categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.
Building Block BB:BehaviorDefinition: Potentially Hostile Recipient Host Identifies when an email is sent to a malicious host. The host is malicious if the X-Force categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.
Building Block BB:DeviceDefinition: Mail Defines all mail devices on the system.
Building Block BB:DeviceDefinition: Mail in Flows Defines all applications related to mail on the system.
Rule Abnormal Number of Emails to Invalid Recipients Triggers when numerous emails are sent to invalid recipients (invalid domain, unknown user, malformed address, etc.). This might indicate a brute force attempt to reach valid addresses.
Rule Email Attachment with Executable Triggers when an email is received containing attachments with executable file extensions.
Rule Email Attachment with Executable Hidden in Double File Extensions Triggers when a mail attachment's name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe).
Rule Email Received From Potentially Hostile Host Triggers when an email is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule Email Sent to Potentially Hostile Host Triggers when an email is sent to a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule High Inbound Emails Containing Attachments From External Host Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients.
Note: Adapt the threshold to the size of your company.
Rule High Number of Emails From Unauthorized Users Triggers when an email that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing.
Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.
Rule Inbound Email with Suspicious Subject Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency.
Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.
Rule Inbound Email with Suspicious Subject Keywords Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency.
Note: Update the regular expression to include suspicious keywords.
Rule Mailbox Item Deleted by Another User Triggers when a mailbox item is deleted by a user other than the mailbox owner. This might reveal abuse of rights on a mailbox.
Rule Mailbox Permission Added and Deleted in a Short Period of Time Triggers when a mailbox permission is added and deleted in a short period. This might indicate that a user is trying to get access before performing an administrative action such as accessing or deleting information, or create a forwarding rule, before removing their rights to remain undiscovered.
Rule Potential Leakage of Data via Email Attachment Triggers when numerous emails that contain attachments are sent to an external email address that indicates potential leakage.
Note: The condition "and NOT when an event matches any of the following BB:BehaviorDefinition: Potentially Hostile Email Host" was added because the rule "Email Sent to Potentially Hostile Host" alerts on any email that is sent to a suspicious address. If you want to have this additional information, remove the filter from the rule.
Rule Potential Leakage of Data via High Outbound Emails Triggers when a high number of emails is sent to the same email address outside the organization. This might indicate a potential exfiltration of data.
Rule Potential Leakage of Data via Mailbox Forwarding Triggers when a mailbox is set to forward emails to an external address, which might indicate a potential leakage.
Rule QNI : Email Attachment with Executable Triggers when an email flow is received containing attachments with executable file extensions.
Rule QNI : Email Attachment with Executable Hidden in Double File Extensions Triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe).
Note: The Application property can be tuned.
Rule QNI : Email Received From Potentially Hostile Host Triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule QNI : High Inbound Emails Containing Attachments From External Host Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company.
Rule QNI : High Number of Emails From Unauthorized Users Triggers when flow content has an email sender that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing.
Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.
Rule QNI : Inbound Email with Suspicious Subject Triggers when a flow content includes an email subject that matches known suspicious subjects that are included in a Threat Intelligence feed. This might indicate spam or phishing.
Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.
Rule QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers Triggers when multiple sending servers send the same email subject in a period, which might indicate spam or phishing.
Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject.
Rule QNI : Spam/Phishing URL Accessed Triggers when a URL categorized by X-Force as Spam URLs or Phishing URLs is accessed. This might indicate that a user who is targeted in a spam or phishing campaign opened a malicious URL.

The following table shows the reference data in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

Table 5. Reference Data in IBM Security QRadar Phishing and Email Content Extension 1.0.0
Type Name Description
Reference Data pulse_imports Part of the Pulse dashboard.
Reference Set Corporate Email Domains Lists the email domains within the organization.
Reference Set Executable Extensions Lists extensions that are identified as executable files.
Reference Set Phishing Subjects Lists identified phishing subjects.
Reference Set Whitelisted Email Admins Lists email addresses within an organization that has been whitelisted to have certain permissions.

(Back to top)