Re: Detecting phishing messages

[Keith Hartranft <kkh288 () LEHIGH EDU>]

Yes Erik,

We use a methodology like this and have for some time (2+ years) but using
the GMail Content Compliance Filters to Quarantine such messages. We use
"key phrases" more than "key words" although key words are in the set you
mention. We have over 150 "phrase based" CC filters used and reviewed, 14
domain filters we have found highly effective, and a large number other
varied filters for Job Scam, Wire-Transfer, and Malware we have utilized
rather effectively.

We filter on average 5000 to 7000 messages a month into quarantine that
would have hit GMail boxes. We actively report all hyperlinks to Google SB,
Phishtank, Our own DNSBL, and or AV is needed to more effectively protect
our and a broader community. We also notify compromised sender reps on
their compromised accounts. This has led to reduction of less than 1
account per month being compromised via phishing the past 6 months of
measure. "False positives" are rather small (maybe a dozen per week) and
mostly mine as "reporting emails" get stuck in the Q.

In addition to the words you mention attackers also like to use - web-mail,
quota, "outlook web" (we are not an Outlook school), "protected document",
"very urgent", "email user", "irregular activity", "unusual activity" (also
in many legit messages like verify), and "kindly update". I have a whole
set of CC "kindly rules" that are phrases unique with "kindly".

I've pasted a sample of the rules below .... just 10 of the latest added
phrases. I'm happy to discuss and share further but would rather in a more
closed forum.

And yes ........... sending any replies now with this email will go through
Quarantine. LOL!

Thanks,

Keith

Matches
:
""All staffs and students are expected to migrate""
Matches
:
""increase your mailbox size""
Matches
:
""Remote Webmail Service""
Matches
:
""Click below link to upgrade""
Matches
:
""we limit and suspend your email account""
Matches
:
""information on your email account seems missing or incorrect""
Matches
:
""Thank you for your early cooperation""
Matches
:
""to verify your mail and view incoming message""
Matches
:
""You have to Sign On to read document""
Matches
:
""Quota Has Exceeded The Set Quota""

On Fri, Jan 5, 2018 at 8:50 AM, Erik D Evans <evanse () bgsu edu> wrote:

> All,
>
>
>
> We’re currently in the process of implementing Cisco Email Security for
> our O365 environment.  During this process we have been discussing some
> additional steps we would like to take to help warn and educate our users
> about phishing.  One thing we are considering is setting up a dictionary
> containing common words we see in phishing messages such as the one I have
> included below.  We regularly see words such as kindly, verify, validate,
> important, urgent, account, etc…  What we would like to do with this is if
> we see a message that has more than one of these words, AND a link to an
> external web site – prepend a warning to the message and make the URL
> unclickable.  However, we have some concern about how many false positives
> we will get with this approach.
>
>
>
> My question is, have any other schools taken a similar approach to flag
> messages based on keywords like this?  If so, would you be willing to share
> what keywords you are matching on and speak to how many false positives you
> typically run in to?
>
>
>
>
>
> Thanks,
>
>
>
> _______________________
>
> Erik Evans
>
> Information Security Analyst
>
> Information Technology Services
>
> Bowling Green State University
>
> evanse () bgsu edu <haschak () bgsu edu>
>
> http://www.bgsu.edu/infosec
>
>
>
> This e-mail, including any attachments, may contain information that is
> protected by law as privileged and confidential, and is transmitted for the
> sole use of the intended recipient.  If you are not the intended recipient,
> you are hereby notified that any use, dissemination, copying or retention
> of this e-mail or the information contained herein is strictly prohibited.
>
>
>
>
>
>
>
> ***********************************************************
>
>
>
> Dear BGSU E-mail User,
>
>
>
> We noticed some of your pending in-coming E-mails in our system due to
> lack of our recent up-date which may lead to permanent delete of your
> account from our data-base. Kindly take a minute to complete our up-date
> below, Click
>
> ***link removed***
>
> Help us protect your account from malicious activities.
>
> Regards.
>
> Thanks for your co-operation.
>
>
>
> BGSU IT Email Team,
>
> BGSU Support Help Desk,
>
> © Copyright 2017 Bowling Green State University



-- 

*Keith K Hartranft, CISSP, CISM, CISA, CRISC, CIPP/US, PCI-DSS ISA & PCIP*
*Chief Information Security Officer*

*Lehigh University610-758-3994*