Reactive: Blocking Email Artifacts Flashcards
Blocking Email Artifacts
Once we have collected and analyzed email artifacts, we are able to take defensive measures in order to block incoming and outgoing emails that feature these artifacts. Just to recap, the email artifacts that are important to us include:
Email Sender (mailbox@domain)
Sender Domain (@domain)
Sending Server IP
Subject Line
Email Sender
If a large volume of malicious emails is being sent from the same sender, we would definitely want to block it on the email gateway, preventing more emails from coming into the domain and landing in employee mailboxes. This is the primary block we will take with phishing attacks.
On the email gateway, we would typically block incoming emails from the specified sender, however, we could make this block bi-directional, and prevent emails from inside being sent to (recipient) the malicious sender – this would stop emails where an employee is trying to reply to the malicious email.
Sender Domain
The step-up from blocking the sending address (mailbox@domain) is to block the entire sending domain. When receiving emails from @Outlook or @Gmail, it’s obviously not feasible to block these entire domains, as there is a large potential for blocking legitimate emails (such as employees contacting Payroll from their personal addresses, HR reaching out to new employees via their personal addresses, etc). This is typically only done when the sending domain is purely malicious or is using a large number of mailboxes to send malicious emails.
Sending Server IP
This is a very serious block and is not conducted unless it is absolutely necessary. This will drop any emails coming from the specified IP. Whilst similar to a domain block, a domain may use multiple sending servers, so this would be less effective, and is tailored towards rogue IPs that have been compromised or set up to send malicious emails.
