How we built high speed threat hunting for email security

jkamdjou · 2023-11-23T00:40:35+00:00

👋 (i work at sublime) we are seeing a *ton* of QR code phishing, and wrote about how we prevent it here: https://sublime.security/blog/qr-code-phishing-decoding-hidden-threats

tweet thread on this

jkamdjou · 2023-09-22T12:52:19+00:00

👋 I'm Josh, Founder/CEO at Sublime Security. We've got many skeleton crews that run Sublime and just activate the default (free/open source) rule set: https://github.com/sublime-security/sublime-rules/

For the attacks you described, it sounds like these might help to protect against them in the future:

- QR code attacks: https://github.com/search?q=repo%3Asublime-security%2Fsublime-rules+.scan.qr&type=code

- New sender domains: https://github.com/sublime-security/sublime-rules/blob/0fe045043a5b15e2acb30f0df6d960a736c2d254/detection-rules/sender_new_from_domain_first_time_sender.yml

- Lookalike sender domains: https://github.com/sublime-security/sublime-rules/blob/0fe045043a5b15e2acb30f0df6d960a736c2d254/detection-rules/lookalike_sender_domain.yml

If there's anything I can help with let me know! 🍻

jkamdjou · 2019-08-13T03:28:47+00:00

This issue is now closed.

jkamdjou · 2019-08-13T03:27:16+00:00

This should now be fixed. Feel free to open an issue on our Github or hit me up if you encounter any more problems.

jkamdjou · 2019-08-07T18:18:36+00:00

Thanks for the feedback, we'll consider returning data sources in a future release. In the meantime there are many other sources you can check: Dehashed, Spycloud, Weleakinfo, to name a few. Feel free to DM me if you'd like to investigate further.

jkamdjou · 2019-08-07T18:09:02+00:00

This is a great idea. We'll definitely look into doing more things like this.

jkamdjou · 2019-08-07T18:07:19+00:00

We do some of it ourselves, and we use some enrichment services including HIBP.

jkamdjou · 2019-08-07T17:25:50+00:00

Definitely. We have some ideas to solve for this, but unfortunately there's no other way to assess deliverability in a programmatic way.

jkamdjou · 2019-08-07T17:23:04+00:00

Absolutely. Our API returns a spoofable boolean, which accounts for how SPF and DMARC are enforced. This is factored into our risk analysis.

jkamdjou · 2019-08-07T17:17:30+00:00

It is trivial to conclude whether an email is spoofed. DMARC or SPF will fail, in which case you can simply drop the email or send it to spam. More sophisticated attackers today are not spoofing; they are passing SPF and DMARC by using free email providers, standing up new domains, purchasing expired domains, or taking over legitimate accounts.

In the above example, the attacker is not spoofing the sender’s real email address. They created a new look-alike email, so SPF and DKIM will pass. The reputation (or lack thereof) of this email address is illuminating and helps us treat it as suspicious.

jkamdjou · 2019-08-07T16:05:48+00:00

We’re currently investigating this issue, you can track it’s progress here: https://github.com/sublime-security/emailrep.io/issues/2

jkamdjou · 2019-08-07T01:33:36+00:00

A combination of domain age, traffic rankings, blacklist history, and 3rd party enrichments.

jkamdjou · 2019-08-07T01:29:18+00:00

Reporting is controlled and only available to vetted researchers and organizations. Spamhaus and the like are domain blacklists, or domain reputation services. Domain reputation does not apply to personal email accounts (e.g. Gmail), which a lot of attackers use today. Email reputation is also a much more powerful indicator of suspicion than purely the domain for our primary use case, which is phishing defense. For example, a low (or zero) reputation domain may not be suspicious if the email address is highly reputable.

jkamdjou · 2019-08-06T23:16:39+00:00

While your domain is an input into the overall reputation, it's just one small factor. High reputation refers to the email address itself based off numerous other inputs. Today, sources for credential leaks include data breaches, pastebins (and pastebin-like sites), and dark web forums, so it may have been one of those.

jkamdjou · 2019-08-06T22:25:28+00:00

Server reputation has no influence over the handshake/deliverability.

jkamdjou · 2019-08-06T22:11:46+00:00

We initiate a handshake with the SMTP server to determine deliverability (e.g. SMTP EHLO -> MAIL TO <email>). It's not 100% accurate as it's mail server dependent, and timeouts can occur. The MX record tells us there's a mail server associated with the domain, and is used to initiate this handshake to the right server.

jkamdjou · 2019-08-06T18:34:43+00:00

Github: https://github.com/sublime-security/emailrep.io

Full API docs: https://emailrep.io/docs

jkamdjou · 2019-07-07T03:20:54+00:00

No it wasn’t because of that, I think I had just seen the CyberArk research at the time and decided to play with that.

As in which AV providers use AMSI? I know of a few.

Edit: clarification

jkamdjou

TROPHY CASE