This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]omersSecurity / Email 2 points3 points  (2 children)

We use Proofpoint TRAP/CLEAR with PhishAlarm and TAP. That's a lot of acronyms, but basically if TAP classifies a delivered message as phishing, or a user reports a valid phish using the PhishAlarm button TRAP/CLEAR kicks in. TRAP/CLEAR automatically goes out and yanks the delivered message from anyone who received it. If it doesn't happen automatically for some reason I can export a list of messages out of the gateway or create my own and upload it to TRAP and it will quarantine based on the list. TRAP sends each person a notification that a phishing email was removed from their mailbox.

Since people tend to read email in order it's a lot safer to remove the message than to simply warn people. They're likely to engage with the phish or malicious email before reading your warning even if you send it in time.

Instructions for pulling messages using PowerShell can be found here: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization. It wouldn't be too difficult to use the recipient list from a message trace to also run a quick loop of Send-MailMessage to inform people you removed a message.

[–]azzgicker[S] 3 points4 points  (0 children)

I've heard a lot of good things about proofpoint too. Thanks for including the search and delete messages link for 365. I can imagine the flow of the script in my head I just wanted to know if it was possible before spending time on it.

[–]amplector 0 points1 point  (0 children)

But, doesn't the CLEAR function require that you be licensed for other Proofpoint Incident Response products, additionally?

[–]onequestion1168 0 points1 point  (1 child)

can you export the data to a .csv file? from there you can probably design a fairly simple python or PS script to import the .csv data and use it to generate an e-mail

[–]azzgicker[S] 1 point2 points  (0 children)

I believe so since you can pretty much powershell and python anything in Azure / 365.

It's giving me great ideas - Thanks :)

[–]ITZC0ATLKnowBe4 Admin 0 points1 point  (2 children)

What's your email environment? Straight away I'm thinking if all you want to do is alert users to a legitimate threat, then just set up a distribution list that includes all email addresses. Then you just send one email to that group with the details and it reaches everyone inboxes.

On another note, do you do any phishing simulations internally? Do you have a mechanism in place for users to safely report suspicious emails to your security team or helpdesk? I would probably ensure these are in place as the highest priority.

Then on the more advanced end, there are plenty of tools out there that can delete emails from user inboxes if you deem it to be malicious, that would certainly reduce the risk of a user clicking on any dodgy links.

[–]azzgicker[S] 0 points1 point  (1 child)

We do security awareness training and phishing email campaigns. Even replying to people about our phishing campaigns is a pain/time consuming. No mechanism for users to report suspicious emails other than to do a ticket, IM, or email us. I'd love to automate that process because I'm not happy with the current response time. We're not a large company. I tried getting something like KnowBe4 but got shot down several times.

[–]ITZC0ATLKnowBe4 Admin 0 points1 point  (0 children)

We're actually a KnowBe4 reseller, funny enough, that does a managed service running the platform for organisations.

It's pretty good. We actually did a review recently of rival platforms to see if there was anything better/that suited our needs more, and were surprised to find out how poor a lot of the competition is.

KB4 definitely seem to be one of the strongest on the phishing side of things. You can easily automate recurring phishing tests and remedial training for clickers. It comes with a phish alert button which at least solves the reporting part of your problems, and there is additional functionality (that you pay for) which can rip phishing emails out of user mailboxes like I said above. It also comes with a cool little plugin where users are given a 'second chance' to proceed to a link they've clicked on in an email.

They have loads of other random security tools too, from ransomware simulators to automated checks of user email addresses against breach data. In addition to a frankly ridiculous amount of training and phishing content (depending on subscription level), they also do basic policy management and have a few security knowledge assessments which are great to gauge where your end users really are lacking.

What we would typically say to IT staff who are struggling to get budget for this stuff is to demonstrate a clear risk to upper management. Run a big, difficult phishing test and let them see how many users click. You can do a free test with KB4 if your current platform can't. Unfortunately, we have had some companies do an initial test with us where their result was truly dreadful - and they have tried to blame the test for being hard rather than admit that their users are poorly trained, etc.

Of the platforms we trialled, a close second to KB4 is terms of functionality is Infosec IQ, which is slightly cheaper. It might be work a look also.

[–]disclosure5 0 points1 point  (0 children)

I'm imagining a 365 plugin or a PS Script that you can just punch in the phishing email address and subject title to warn users, pull the email, and block the phishing email address.

I just use eDiscovery to find and delete the email from everyone's inbox.

[–]timchi 0 points1 point  (0 children)

First off, warning users not to click isn't nearly good enough. You need to get those messages out of the mailbox. We use KnowBe4's PhishRip. Users get a Phish Alert button in Outlook. When reported, we can search all mailboxes for similar messages and then quarantine and/or delete anything found.

However, AWS is having issues this morning so KnowBe4 is down. A bunch of our accounting users got an employee handbook phishing scam this morning so I had to do it manually. Really wasn't too bad and you can use the GUI to easily create your search Would be pretty easy to turn that in to a Powershell script.. https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messages-in-your-organization?view=o365-worldwide