Phishing and Email

Use the IBM Security QRadar Phishing and Email Content Extension to closely monitor email in your network.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM® Fix Central (https://www.ibm.com/support/fixcentral).

This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.

IBM Security QRadarPhishing and Email

IBM Security QRadar Phishing and Email Content Extension 1.2.1
IBM Security QRadar Phishing and Email Content Extension 1.2.0
IBM Security QRadar Phishing and Email Content Extension 1.1.0
IBM Security QRadar Phishing and Email Content Extension 1.0.0

IBM Security QRadar Phishing and Email Content Extension 1.2.1

The following list shows the building blocks that have been updated for performance optimization.

BB:BehaviorDefinition: External Recipient Host
BB:BehaviorDefinition: Potentially Hostile Recipient Host
BB:DeviceDefinition: Mail

The BB:CategoryDefinition: Mailbox Permission Added and BB:CategoryDefinition: Mailbox Permission Deleted building blocks have been removed.

Additional data elements are added to the Phishing Subjects reference set.

IBM Security QRadar Phishing and Email Content Extension 1.2.0

Several regex expression IDs are updated to avoid conflicts with other content extensions.

IBM Security QRadar Phishing and Email Content Extension 1.1.0

The following table shows the rules and building blocks that are new or changed in IBM Security QRadar Phishing and Email Content Extension 1.1.0.

Table 1. Rules and Building Blocks in IBM Security QRadar Phishing and Email Content Extension 1.1.0
Type	Name	Description
Building Block	BB:CategoryDefinition: Mail Applications in Flows	This Building Block triggers when communication with a Mail Application is detected.
Rule	QNI : Email Attachment with Executable	This rule triggers when an email flow is received containing attachments with executable file extensions.
Rule	QNI : Email Attachment with Executable Hidden in Double File Extensions	This rule triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable to bypass security services that block executable mail extensions. (e.g. virus.exe.txt, presentation.bat.pptx) It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executables, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file 'Report.doc.js', the operating system may display it as 'Report.doc'. (e.g. report.doc.js, newsletter.pdf.exe). Note: The Application property can be tuned.
Rule	QNI : Email Received From Potentially Hostile Host	This rule triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule	QNI : High Inbound Emails Containing Attachments From External Host	This rule triggers when an address outside the organization sends numerous emails containing attachments. This could indicate an attempt to deliver a malware by targeting a large number of recipients. Note: The threshold should be adapted to the size of the company
Rule	QNI : Inbound Email with Suspicious Subject	This rule triggers when a flow content includes an email subject that matches known suspicious subjects included in a Threat Intelligence feed. This could indicate spam or phishing. Note: The Phishing Subjects reference set is pre-populated with email subject examples and can be tuned with new discoveries.
Rule	QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers	This rule triggers when multiple sending servers send the same email subject in a period of time which may indicate spam or phishing. Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject.

The following table shows the saved search that is new in IBM Security QRadar Phishing and Email Content Extension 1.1.0.

Table 2. Saved Searches in IBM Security QRadar Phishing and Email Content Extension 1.1.0
Name	Description
Emails with Suspicious Subjects	This search aggregates mail events by their "MessageID", and filters for messages with subjects contained in the "Phishing Subjects" reference set.

_{(Back to top)}

IBM Security QRadar Phishing and Email Content Extension 1.0.0

The following table shows the custom properties in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

Table 3. Custom Properties in IBM Security QRadar Phishing and Email Content Extension 1.0.0
Name	Optimized	Found in
File Extension	Yes	Amazon AWS Blue Coat Cisco AMP Cisco Ironport McAfee EPO Microsoft Office 365 Microsoft Windows osquery Postfix Squid Microsoft 365 Defender
Filename	Yes	Amazon AWS Azure Bit9 Security Platform Blue Coat Carbon Black Protection Cisco AMP Cisco Firepower Cisco Ironport Endpoint FireEye MPS Fortinet FortiAnalyzer Linux McAfee EPO Microsoft Office 365 Microsoft Windows osquery Palo Alto PA Series Postfix Squid Sysmon VMware Microsoft 365 Defender
MessageID	Yes	Cisco Ironport Microsoft Exchange Postfix
Originating Host	Yes	Cisco Ironport Microsoft Exchange Postfix
Originating_User	Yes	Cisco Ironport Microsoft Exchange Microsoft Office 365 Postfix
Recipient Host	Yes	Cisco Ironport Microsoft Exchange Microsoft Office 365 Postfix
Recipient_User	Yes	Cisco Ironport Microsoft Exchange Microsoft Office 365 Postfix
Subject	Yes	Cisco Ironport Microsoft Exchange Microsoft Office 365 Postfix
Target User Name	Yes	Amazon AWS Azure Kubernetes Microsoft Office 365 Microsoft Windows osquery VMware

The following table shows the rules and building blocks in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

Table 4. Rules and Building Blocks in IBM Security QRadar Phishing and Email Content Extension 1.0.0
Type	Name	Description
Building Block	BB:BehaviorDefinition: External Originating Host	Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company.
Building Block	BB:BehaviorDefinition: External Recipient Host	Identifies recipient hosts that are not in the Corporate Email Domains reference set. Note: The Corporate Email Domains reference set must be populated.
Building Block	BB:BehaviorDefinition: Potentially Hostile Originating Host	Identifies when an email comes from a malicious host. The host is malicious if the X-Force® categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.
Building Block	BB:BehaviorDefinition: Potentially Hostile Recipient Host	Identifies when an email is sent to a malicious host. The host is malicious if the X-Force categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining.
Building Block	BB:DeviceDefinition: Mail	Defines all mail devices on the system.
Building Block	BB:DeviceDefinition: Mail in Flows	Defines all applications related to mail on the system.
Rule	Abnormal Number of Emails to Invalid Recipients	Triggers when numerous emails are sent to invalid recipients (invalid domain, unknown user, malformed address, etc.). This might indicate a brute force attempt to reach valid addresses.
Rule	Email Attachment with Executable	Triggers when an email is received containing attachments with executable file extensions.
Rule	Email Attachment with Executable Hidden in Double File Extensions	Triggers when a mail attachment's name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe).
Rule	Email Received From Potentially Hostile Host	Triggers when an email is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule	Email Sent to Potentially Hostile Host	Triggers when an email is sent to a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule	High Inbound Emails Containing Attachments From External Host	Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company.
Rule	High Number of Emails From Unauthorized Users	Triggers when an email that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing. Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.
Rule	Inbound Email with Suspicious Subject	Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency. Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.
Rule	Inbound Email with Suspicious Subject Keywords	Triggers when an email is received with a suspicious subject or a subject conveying some sense of urgency. Note: Update the regular expression to include suspicious keywords.
Rule	Mailbox Item Deleted by Another User	Triggers when a mailbox item is deleted by a user other than the mailbox owner. This might reveal abuse of rights on a mailbox.
Rule	Mailbox Permission Added and Deleted in a Short Period of Time	Triggers when a mailbox permission is added and deleted in a short period. This might indicate that a user is trying to get access before performing an administrative action such as accessing or deleting information, or create a forwarding rule, before removing their rights to remain undiscovered.
Rule	Potential Leakage of Data via Email Attachment	Triggers when numerous emails that contain attachments are sent to an external email address that indicates potential leakage. Note: The condition "and NOT when an event matches any of the following BB:BehaviorDefinition: Potentially Hostile Email Host" was added because the rule "Email Sent to Potentially Hostile Host" alerts on any email that is sent to a suspicious address. If you want to have this additional information, remove the filter from the rule.
Rule	Potential Leakage of Data via High Outbound Emails	Triggers when a high number of emails is sent to the same email address outside the organization. This might indicate a potential exfiltration of data.
Rule	Potential Leakage of Data via Mailbox Forwarding	Triggers when a mailbox is set to forward emails to an external address, which might indicate a potential leakage.
Rule	QNI : Email Attachment with Executable	Triggers when an email flow is received containing attachments with executable file extensions.
Rule	QNI : Email Attachment with Executable Hidden in Double File Extensions	Triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe). Note: The Application property can be tuned.
Rule	QNI : Email Received From Potentially Hostile Host	Triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining.
Rule	QNI : High Inbound Emails Containing Attachments From External Host	Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company.
Rule	QNI : High Number of Emails From Unauthorized Users	Triggers when flow content has an email sender that is not included in the whitelist sends numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a limited number of entities are meant to send mass emailing. Note: The Whitelisted Email Admins reference set must be populated with email addresses that are allowed to send large number of emails at one time.
Rule	QNI : Inbound Email with Suspicious Subject	Triggers when a flow content includes an email subject that matches known suspicious subjects that are included in a Threat Intelligence feed. This might indicate spam or phishing. Note: The Phishing Subjects reference set is prepopulated with email subject examples and can be tuned with new discoveries.
Rule	QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers	Triggers when multiple sending servers send the same email subject in a period, which might indicate spam or phishing. Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject.
Rule	QNI : Spam/Phishing URL Accessed	Triggers when a URL categorized by X-Force as Spam URLs or Phishing URLs is accessed. This might indicate that a user who is targeted in a spam or phishing campaign opened a malicious URL.

The following table shows the reference data in IBM Security QRadar Phishing and Email Content Extension 1.0.0.

Table 5. Reference Data in IBM Security QRadar Phishing and Email Content Extension 1.0.0
Type	Name	Description
Reference Data	pulse_imports	Part of the Pulse dashboard.
Reference Set	Corporate Email Domains	Lists the email domains within the organization.
Reference Set	Executable Extensions	Lists extensions that are identified as executable files.
Reference Set	Phishing Subjects	Lists identified phishing subjects.
Reference Set	Whitelisted Email Admins	Lists email addresses within an organization that has been whitelisted to have certain permissions.

_{(Back to top)}