Companies are focusing a lot of time trying to secure the email system against attacks from the outside, like (spear-) phishing, malware and other threats. A customer asked me today for ideas for threats he could hunt for in his company’s email traffic in the other direction, this time to external.
The following factors where written after a very short brainstorming about things a SOC team might want to search for. If you have interesting things to add, please add a moment and i will update the list accordingly. In addition, i am not sure if every of these “searching ideas” are working in practice or not.
- Let emails send to external also run trough a content based spam filter, not only external to internal
- Content contains
- Content contains blacklisted URLs
- Suspicious attachments to external e-mails
- Encrypted ZIPs
- Source Code inside ZIPs, Source-Code in the E-Mail body and attachments
- KeePass and similar Databases
- Attachments containing viruses -> why should you only investigate Incoming emails for viruses.
- Usage of revoked or invalid digital certificates (VBA, executables, Office & PDF documents etc.) to sign attachment content.
This might make sense to check for a specific amount of historic data on the server, as the certificates are revoked usually some times after malicious usage.
- Content contains high risk user names (like domain admins, VIPs etc)
- Content contains honey object created by a deception platform or manually by the security team
- Unusual high amount of emails to the same email address / domain
- Unusual high amount of encrypted emails to external
- Revoked or invalid S/MIME certificates used to send a email
- Unusual high amount of BCC’s
- Unusual high amount of distribution lists
- Destination is a private e-mail account (like gmail, gmx and other)
- Destination is a trash e-mail
- Destination is a very privacy focused vendor (like protonmail)
- Destination region is outside of the Company business region (Iran, Russia etc.)