What is a phishing attack?

“Phishing” refers to an attempt to steal sensitive information, typically in the form of usernames,
passwords, credit card numbers, bank account information or other important data in order to utilize or
sell the stolen information. By masquerading as a reputable source with an enticing request, an attacker
lures in the victim in order to trick them, similarly to how a fisherman uses bait to catch a fish.

What is spear phishing?

This type of phishing is directed at specific individuals or companies, hence the term spear phishing. By
gathering details or buying information about a particular target, an attacker is able to mount a
personalized scam. This is currently the most effective type of phishing, and accounts for over 90% of
the attacks.

What is clone phishing?

Clone phishing involves mimicking a previously delivered legitimite email and modifying its links or
attached files in order to trick the victim into opening a malicious website or file. For example, by taking
an email and attaching a malicious file with the same filename as the original attached file, and then
resending the email with a spoofed email address that appears to come from the original
sender,attackers are able to exploit the trust of the initial communication in order to get the victim to
take action.
What is whaling?
For attacks that are directed specifically at senior executives or other privileged users within businesses,
the term whaling is commonly used. These type of attacks are typically targeted with content likely to
require the attention of the victim such as legal subpoenas or other executive issues.

Another common vector of this style of attack is whaling scam emails that appear to come from an
executive. A common example would be an email request coming from a CEO to someone in the finance
department requesting their immediate help in transferring money. Lower-level employees are
sometimes fooled into thinking the importance of the request and the person it’s coming from
supersede any need to double check the request’s authenticity, resulting in the employee transferring
large sums of money to an attacker.

Investigation steps:

1. Check the sender domain and check for the legitimacy of it.
2. Check number of recipients received the email based on subject line or sender address.
3. Do a header analysis of the email in MXtoolbox, and find out return path, sender ip, and
Authentication results for it’s legitimacy.
4. Understand body of the email for any URL/Links, attachments – Analyze it with Virus total,
hybrid and dynamic analysis of the URL.
5. Also check form the body of email and understand if the sender is asking to do any policy,
violations like of things (Eg: Asking some Gift coupons).

Conclusions: After the analysis of above steps if you haven’t find anything phishy , consider the email
has spam and send a spam template to user to deleted it from inbox.

IF email is not spam after the investigation, then it is a phishing email, follow below steps for
remediation:

1. Understand the no of recipients and compromised accounts with help of messaging team/AD
team.
2. Hard reset the CORP AD credentials of the user accounts, with help of AD/SCCM Team.
3. Block the sender address in the email gateway with help of messaging team.
4. Block the malicious URL in the proxy, if it was not done.
5. Send a phishing user template to all the recipients to not the open email or click the URL, and
delete the email permentally from inbox and deleted folder.
6. Check for o365 logs for the user account for any abnormal activity for next 1 or 2 days so , that
action needed accordingly if any suspicious found.