What to do now that we know the email is malicious?

Retrieve the email

The first thing is to repatriate the email, that is to say make it disappear from the mailbox of all people who have received it.

To block !

We have enough information now to define whether or not to block the sender, the sending domain, the domains present in the URLs, etc.

Identify other victims

Now that this email is "destroyed", it is necessary to check if other people of the Company are not victims of this attack.

The attacker may have sent an identical email to several personnel. It is therefore necessary to look for any traces of identical activities (subject of mail, sender, name of PJ, link in the mail, etc.).

The email had a link or an attachment ?

If the email had URLs, you must check in your tools (proxy servers, firewalls, etc.) whether posts have visited the URLs. If the email had malicious attachments, you must check in your tools (EDR, antivirus, local logs) whether any workstations have executed these PJs.

This is where a SIEM is welcome.

Build your database

Once the research has been carried out, it is necessary to list in a database (even a simple csv file) all personnel who have been reached in this phishing campaign.

This database must contain the receiving email address, the existing rights on this BàL in delegations or transfers, the time of receipt, if the email has been read, if the PJ and/or the URLs have been contacted from this position. In case of compromise, it will be necessary to turn off the analysis at all the accesses available for the station and the user concerned.

If a potential compromise is detected, the IT security manager should be notified as soon as possible so that isolation measures can be taken during the additional investigation.

Reassessment of corrective actions

Now that the analysis is done, it is time to reassess the measures taken. In an emergency, certain measures can be taken and need to be questioned (example: blocking the domain only or setting up a lying DNS?).