Phishing and Email
Use the IBM Security QRadar Phishing and Email Content Extension to closely monitor email in your network.
This content extension includes one or more Pulse dashboards. For more information about Pulse dashboards, see QRadar Pulse app.
IBM Security QRadarPhishing and Email
IBM Security QRadar Phishing and Email Content Extension 1.2.1
- BB:BehaviorDefinition: External Recipient Host
- BB:BehaviorDefinition: Potentially Hostile Recipient Host
- BB:DeviceDefinition: Mail
The BB:CategoryDefinition: Mailbox Permission Added and BB:CategoryDefinition: Mailbox Permission Deleted building blocks have been removed.
Additional data elements are added to the Phishing Subjects reference set.
IBM Security QRadar Phishing and Email Content Extension 1.2.0
Several regex expression IDs are updated to avoid conflicts with other content extensions.
IBM Security QRadar Phishing and Email Content Extension 1.1.0
The following table shows the rules and building blocks that are new or changed in IBM Security QRadar Phishing and Email Content Extension 1.1.0.
Type | Name | Description |
---|---|---|
Building Block | BB:CategoryDefinition: Mail Applications in Flows | This Building Block triggers when communication with a Mail Application is detected. |
Rule | QNI : Email Attachment with Executable | This rule triggers when an email flow is received containing attachments with executable file extensions. |
Rule | QNI : Email Attachment with Executable Hidden in Double File Extensions | This rule triggers when a mail flow's attachment name contains at least two consecutive file extensions, and where one of them is associated to an executable. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable to bypass security services that block executable mail extensions. (e.g. virus.exe.txt, presentation.bat.pptx) It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executables, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file 'Report.doc.js', the operating system may display it as 'Report.doc'. (e.g. report.doc.js, newsletter.pdf.exe). Note: The Application property can be tuned. |
Rule | QNI : Email Received From Potentially Hostile Host | This rule triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining. |
Rule | QNI : High Inbound Emails Containing Attachments From External Host | This rule triggers when an address outside the organization sends numerous emails containing attachments. This could indicate an attempt to deliver a malware by targeting a large number of recipients. Note: The threshold should be adapted to the size of the company |
Rule | QNI : Inbound Email with Suspicious Subject | This rule triggers when a flow content includes an email subject that matches known suspicious subjects included in a Threat Intelligence feed. This could indicate spam or phishing. Note: The Phishing Subjects reference set is pre-populated with email subject examples and can be tuned with new discoveries. |
Rule | QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers | This rule triggers when multiple sending servers send the same email subject in a period of time which may indicate spam or phishing. Note: The custom function ISREPLY returns true or false if a string is the typical subject line of a response email as indicated by having "RE" in the subject. |
The following table shows the saved search that is new in IBM Security QRadar Phishing and Email Content Extension 1.1.0.
Name | Description |
---|---|
Emails with Suspicious Subjects | This search aggregates mail events by their "MessageID", and filters for messages with subjects contained in the "Phishing Subjects" reference set. |
IBM Security QRadar Phishing and Email Content Extension 1.0.0
The following table shows the custom properties in IBM Security QRadar Phishing and Email Content Extension 1.0.0.
Name | Optimized | Found in |
---|---|---|
File Extension | Yes | |
Filename | Yes | |
MessageID | Yes | |
Originating Host | Yes | |
Originating_User | Yes | |
Recipient Host | Yes | |
Recipient_User | Yes | |
Subject | Yes | |
Target User Name | Yes |
The following table shows the rules and building blocks in IBM Security QRadar Phishing and Email Content Extension 1.0.0.
Type | Name | Description |
---|---|---|
Building Block | BB:BehaviorDefinition: External Originating Host | Triggers when an address outside the organization sends numerous emails that contain
attachments. This might indicate an attempt to deliver a malware by targeting many recipients.
Note: Adapt the threshold to the size of your company.
|
Building Block | BB:BehaviorDefinition: External Recipient Host | Identifies recipient hosts that are not in the Corporate Email Domains
reference set. Note: The Corporate Email Domains reference set must be
populated.
|
Building Block | BB:BehaviorDefinition: Potentially Hostile Originating Host | Identifies when an email comes from a malicious host. The host is malicious if the X-Force® categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining. |
Building Block | BB:BehaviorDefinition: Potentially Hostile Recipient Host | Identifies when an email is sent to a malicious host. The host is malicious if the X-Force categorization for it returns one of the following categories: Phishing URLs, Spam URLs, Malware, Botnet Command and Control Server, or Cryptocurrency Mining. |
Building Block | BB:DeviceDefinition: Mail | Defines all mail devices on the system. |
Building Block | BB:DeviceDefinition: Mail in Flows | Defines all applications related to mail on the system. |
Rule | Abnormal Number of Emails to Invalid Recipients | Triggers when numerous emails are sent to invalid recipients (invalid domain, unknown user, malformed address, etc.). This might indicate a brute force attempt to reach valid addresses. |
Rule | Email Attachment with Executable | Triggers when an email is received containing attachments with executable file extensions. |
Rule | Email Attachment with Executable Hidden in Double File Extensions | Triggers when a mail attachment's name contains at least two consecutive file extensions, and where one of them is associated to an executable file. This covers the case where an attacker appends a non-malicious file extension to the end of a malicious executable file to bypass security services that block executable mail extensions (for example virus.exe.txt, presentation.bat.pptx). It also covers the case where an attacker sends a file with a non-executable file extension followed by an executable file extension. This can be used to trick users into opening malicious executable files, as some operating systems like Windows hide the file extension when displaying files in their file system explorer. If the attacker can convince a user to download the file Report.doc.js, the operating system might display it as Report.doc (for example report.doc.js, newsletter.pdf.exe). |
Rule | Email Received From Potentially Hostile Host | Triggers when an email is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining. |
Rule | Email Sent to Potentially Hostile Host | Triggers when an email is sent to a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining. |
Rule | High Inbound Emails Containing Attachments From External Host | Triggers when an address outside the organization sends numerous emails that contain
attachments. This might indicate an attempt to deliver a malware by targeting many recipients.
Note: Adapt the threshold to the size of your company.
|
Rule | High Number of Emails From Unauthorized Users | Triggers when an email that is not included in the whitelist sends numerous emails. This
behavior can reveal a tentative of massive infection. In most cases, only a limited number of
entities are meant to send mass emailing. Note: The Whitelisted Email Admins
reference set must be populated with email addresses that are allowed to send large number of emails
at one time.
|
Rule | Inbound Email with Suspicious Subject | Triggers when an email is received with a suspicious subject or a subject conveying some
sense of urgency. Note: The Phishing Subjects reference set is prepopulated
with email subject examples and can be tuned with new discoveries.
|
Rule | Inbound Email with Suspicious Subject Keywords | Triggers when an email is received with a suspicious subject or a subject conveying some
sense of urgency. Note: Update the regular expression to include suspicious keywords.
|
Rule | Mailbox Item Deleted by Another User | Triggers when a mailbox item is deleted by a user other than the mailbox owner. This might reveal abuse of rights on a mailbox. |
Rule | Mailbox Permission Added and Deleted in a Short Period of Time | Triggers when a mailbox permission is added and deleted in a short period. This might indicate that a user is trying to get access before performing an administrative action such as accessing or deleting information, or create a forwarding rule, before removing their rights to remain undiscovered. |
Rule | Potential Leakage of Data via Email Attachment | Triggers when numerous emails that contain attachments are sent to an external email address
that indicates potential leakage. Note: The condition "and NOT when an event matches any of the
following BB:BehaviorDefinition: Potentially Hostile Email Host" was added
because the rule "Email Sent to Potentially Hostile Host" alerts on any email
that is sent to a suspicious address. If you want to have this additional information, remove the
filter from the rule.
|
Rule | Potential Leakage of Data via High Outbound Emails | Triggers when a high number of emails is sent to the same email address outside the organization. This might indicate a potential exfiltration of data. |
Rule | Potential Leakage of Data via Mailbox Forwarding | Triggers when a mailbox is set to forward emails to an external address, which might indicate a potential leakage. |
Rule | QNI : Email Attachment with Executable | Triggers when an email flow is received containing attachments with executable file extensions. |
Rule | QNI : Email Attachment with Executable Hidden in Double File Extensions | Triggers when a mail flow's attachment name contains at least two consecutive file
extensions, and where one of them is associated to an executable file. This covers the case where an
attacker appends a non-malicious file extension to the end of a malicious executable file to bypass
security services that block executable mail extensions (for example
virus.exe.txt, presentation.bat.pptx). It also covers the
case where an attacker sends a file with a non-executable file extension followed by an executable
file extension. This can be used to trick users into opening malicious executable files, as some
operating systems like Windows hide the file extension when
displaying files in their file system explorer. If the attacker can convince a user to download the
file Report.doc.js, the operating system might display it as
Report.doc (for example report.doc.js,
newsletter.pdf.exe). Note: The Application property can be
tuned.
|
Rule | QNI : Email Received From Potentially Hostile Host | Triggers when an email flow is received from a host that is known for hostile activities, such as Phishing, Spam, Malware, Botnet Command and Control, or Cryptocurrency Mining. |
Rule | QNI : High Inbound Emails Containing Attachments From External Host | Triggers when an address outside the organization sends numerous emails that contain attachments. This might indicate an attempt to deliver a malware by targeting many recipients. Note: Adapt the threshold to the size of your company. |
Rule | QNI : High Number of Emails From Unauthorized Users | Triggers when flow content has an email sender that is not included in the whitelist sends
numerous emails. This behavior can reveal a tentative of massive infection. In most cases, only a
limited number of entities are meant to send mass emailing. Note: The Whitelisted Email
Admins reference set must be populated with email addresses that are allowed to send
large number of emails at one time.
|
Rule | QNI : Inbound Email with Suspicious Subject | Triggers when a flow content includes an email subject that matches known suspicious subjects
that are included in a Threat Intelligence feed. This might indicate spam or phishing. Note: The
Phishing Subjects reference set is prepopulated with email subject examples
and can be tuned with new discoveries.
|
Rule | QNI : Potential Spam/Phishing Subject Detected from Multiple Sending Servers | Triggers when multiple sending servers send the same email subject in a period, which might
indicate spam or phishing. Note: The custom function ISREPLY returns true or false if a string is
the typical subject line of a response email as indicated by having "RE" in the
subject.
|
Rule | QNI : Spam/Phishing URL Accessed | Triggers when a URL categorized by X-Force as Spam URLs or Phishing URLs is accessed. This might indicate that a user who is targeted in a spam or phishing campaign opened a malicious URL. |
The following table shows the reference data in IBM Security QRadar Phishing and Email Content Extension 1.0.0.
Type | Name | Description |
---|---|---|
Reference Data | pulse_imports | Part of the Pulse dashboard. |
Reference Set | Corporate Email Domains | Lists the email domains within the organization. |
Reference Set | Executable Extensions | Lists extensions that are identified as executable files. |
Reference Set | Phishing Subjects | Lists identified phishing subjects. |
Reference Set | Whitelisted Email Admins | Lists email addresses within an organization that has been whitelisted to have certain permissions. |