Skip to main content

Phishing action and response

Phishing - Action and Response

Overview

This merged workflow automates comprehensive email security analysis by retrieving emails from Outlook, extracting URLs and attachments, analyzing them with security tools (Any.run sandbox), creating threat indicators in CrowdStrike and MISP, taking protective actions, and sending detailed reports via Slack notifications.

How It Works

  1. Retrieve Email: Fetches specific emails from Outlook using message ID to begin security analysis.
  2. Extract Content: Scans email content for URLs using regex patterns and checks for attachments that need analysis.
  3. Analyze URLs: Submits extracted URLs to Any.run sandbox for dynamic behavioral analysis and threat assessment.
  4. Process Attachments: When attachments are present, calculates SHA256 hashes and submits files to Any.run sandbox for malware analysis.
  5. Upload to Malware Sandbox: Sends attachment data to malware analysis API for additional security screening and classification.
  6. Monitor Analysis: Tracks task completion status across multiple security analysis platforms until results are available.
  7. Generate Verdict: Processes analysis reports to determine if content is malicious and extracts relevant threat indicators.
  8. Create Threat Indicators: Automatically generates indicators of compromise (IOCs) in CrowdStrike with appropriate blocking actions.
  9. Build MISP Events: Creates structured threat intelligence events in MISP with associated attributes and threat classifications.
  10. Block Malicious Domains: Extracts domains from malicious URLs and creates blocking rules to prevent future access.
  11. Send Notifications: Delivers comprehensive reports to Slack channels including analysis details, MITRE ATT&CK mappings, and actions taken.
  12. Clean Up IOCs: Provides mechanisms to reset or delete threat indicators when needed for testing or false positive remediation.

Who is this for?

Security Operations Centers (SOCs) managing high-volume email security incidents and requiring rapid automated analysis and response capabilities. Incident Response Teams needing comprehensive phishing analysis with automatic threat indicator creation and blocking actions. Organizations with mature security programs seeking to integrate multiple security tools into unified automated workflows.

What problem does this workflow solve?

Manual phishing email analysis is time-intensive and inconsistent, often taking hours per incident while attackers can compromise multiple employees. This workflow eliminates human bottlenecks by automatically analyzing suspicious emails across multiple security platforms, creating threat intelligence, and implementing protective measures in minutes rather than hours, ensuring rapid organizational protection against phishing campaigns.