Re: Detecting phishing messages

["Hart, Michael" <mhart20 () MSUDENVER EDU>]

Ironically enough, your response landed in my junk mail folder.  I guess O365 is looking for some of the same key words 
and phrases you included in your reply.  ☺

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith 
Hartranft
Sent: Friday, January 5, 2018 8:02 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Detecting phishing messages

Yes Erik,

We use a methodology like this and have for some time (2+ years) but using the GMail Content Compliance Filters to 
Quarantine such messages. We use "key phrases" more than "key words" although key words are in the set you mention. We 
have over 150 "phrase based" CC filters used and reviewed, 14 domain filters we have found highly effective, and a 
large number other varied filters for Job Scam, Wire-Transfer, and Malware we have utilized rather effectively.

We filter on average 5000 to 7000 messages a month into quarantine that would have hit GMail boxes. We actively report 
all hyperlinks to Google SB, Phishtank, Our own DNSBL, and or AV is needed to more effectively protect our and a 
broader community. We also notify compromised sender reps on their compromised accounts. This has led to reduction of 
less than 1 account per month being compromised via phishing the past 6 months of measure. "False positives" are rather 
small (maybe a dozen per week) and mostly mine as "reporting emails" get stuck in the Q.

In addition to the words you mention attackers also like to use - web-mail, quota, "outlook web" (we are not an Outlook 
school), "protected document", "very urgent", "email user", "irregular activity", "unusual activity" (also in many 
legit messages like verify), and "kindly update". I have a whole set of CC "kindly rules" that are phrases unique with 
"kindly".

I've pasted a sample of the rules below .... just 10 of the latest added phrases. I'm happy to discuss and share 
further but would rather in a more closed forum.

And yes ........... sending any replies now with this email will go through Quarantine. LOL!

Thanks,

Keith

Matches

:

""All staffs and students are expected to migrate""

Matches

:

""increase your mailbox size""


Matches

:

""Remote Webmail Service""

Matches

:

""Click below link to upgrade""


Matches

:

""we limit and suspend your email account""

Matches

:

""information on your email account seems missing or incorrect""


Matches

:

""Thank you for your early cooperation""

Matches

:

""to verify your mail and view incoming message""


Matches

:

""You have to Sign On to read document""

Matches

:

""Quota Has Exceeded The Set Quota""


On Fri, Jan 5, 2018 at 8:50 AM, Erik D Evans <evanse () bgsu edu<mailto:evanse () bgsu edu>> wrote:
All,

We’re currently in the process of implementing Cisco Email Security for our O365 environment.  During this process we 
have been discussing some additional steps we would like to take to help warn and educate our users about phishing.  
One thing we are considering is setting up a dictionary containing common words we see in phishing messages such as the 
one I have included below.  We regularly see words such as kindly, verify, validate, important, urgent, account, etc…  
What we would like to do with this is if we see a message that has more than one of these words, AND a link to an 
external web site – prepend a warning to the message and make the URL unclickable.  However, we have some concern about 
how many false positives we will get with this approach.

My question is, have any other schools taken a similar approach to flag messages based on keywords like this?  If so, 
would you be willing to share what keywords you are matching on and speak to how many false positives you typically run 
in to?


Thanks,

_______________________
Erik Evans
Information Security Analyst
Information Technology Services
Bowling Green State University
evanse () bgsu edu<mailto:haschak () bgsu edu>
http://www.bgsu.edu/infosec

This e-mail, including any attachments, may contain information that is protected by law as privileged and 
confidential, and is transmitted for the sole use of the intended recipient.  If you are not the intended recipient, 
you are hereby notified that any use, dissemination, copying or retention of this e-mail or the information contained 
herein is strictly prohibited.



***********************************************************


Dear BGSU E-mail User,



We noticed some of your pending in-coming E-mails in our system due to lack of our recent up-date which may lead to 
permanent delete of your account from our data-base. Kindly take a minute to complete our up-date below, Click

***link removed***

Help us protect your account from malicious activities.

Regards.

Thanks for your co-operation.



BGSU IT Email Team,

BGSU Support Help Desk,

© Copyright 2017 Bowling Green State University






--
Keith K Hartranft, CISSP, CISM, CISA, CRISC, CIPP/US, PCI-DSS ISA & PCIP
Chief Information Security Officer
Lehigh University
610-758-3994