Phishing mail attack

Phishing is a fraudulent attempt to obtain sensitive information while masquerading as a reputable entity or person. By analyzing network behavior and network flows, IBM QRadar helps security analysts determine whether there are any phishing attempts to steal personal information, such as usernames, passwords, or credit card numbers, which might later be used for malicious purposes.

Simulating the threat

In the Phishing mail attack, the threat actor uses a disguised email as their weapon and attempts to trick the email recipient into believing that the email message is something they need or want. For example, an email, which purportedly appears to be from a company's human resources department, might trick users into inadvertently revealing their passwords, possibly by opening a malicious attachment.

To see how QRadar detects the threat, run the simulation.
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the Phishing mail attack simulation and click Run.

On the Network Activity tab, you can see a series of network flows representing email communications start coming into QRadar.

Detecting the threat: QRadar in action

In this simulation, QRadar examines the network flows that came from QRadar Network Insights and compares all the subject lines of your organization's emails to a reference set that contains a list of known phishing email subjects.

When QRadar detects a network flow that contains a suspected phishing email, and a similar flow is observed five times within 15 minutes, a rule is triggered. To warn you about the potential threat, the Custom Rule Engine (CRE) creates an offense called Potential phishing mail received (Exp Center) and associates all the flows that contributed to it to that same offense.

In this simulation, the reference set is populated with the data to support the use case. Reference sets are typically populated by using a threat feed from a Threat Intelligence Platform. The IBM QRadarThreat Intelligence app, available for free download on the IBM Security App Exchange, can help you set up threat feeds and keep them up-to-date in QRadar.

Investigating the threat

The following IBM QRadar content is created by the Phishing mail attack threat simulation. After you run the simulation, you can use this content to trace and investigate the threat.

Table 1. QRadar content for the Phishing mail attack simulation
Content Name
Saved Search EC: Phishing Mail Attack

The search does not include the IPFIX flow records, which report the number of packets, bytes transferred, and other communication details. The search returns only the events that generate offenses.

Incoming flow Incoming flows that contain three different email communications, one of which is considered suspect based on the email subject.
Rule EC: Potential Phishing Mail
Generated event Potential phishing mail received (Exp Center)

The log source for events that are generated by QRadar is the Custom Rule Engine (CRE).

Offense Potential phishing mail received (Exp Center)

The offense is indexed based on the Source IP address, meaning that all events that trigger this rule and that have the same source IP address, are part of the same offense.

Depending on the events and rules that exist in your environment before you run the use case, the name of the offense might include preceded by <offense name> or containing <offense name>.