Spear Phishing Investigation

The "Spear Phishing Investigation" playbook is designed to detect patterns that indicates a spear phishing attempt by the attacker.

Phishing · 10 tasks · 3 inputs · 0 outputs

Inputs

  • DomainSquattingResults — Results of the domain squatting investigation.
  • KeywordsToSearch — A comma-separated or list of keywords to search in the email body. for example: name of the organization finance app that the attacker might impost to.
  • MailBody — The phishing mail body.

Commands used

setIncident

Flowchart

yes yes yes Start Start Domain Squatting Domain Squatting Keywords Search Keywords Search Did DomainSquatting occur? Did DomainSquatting occur? Save Domain-Squatting result to incident field - setIncident Save Domain-Squatting res... setIncident Done Done Has list of keywords and email body? Has list of keywords and ... Search if keywords exist - MatchRegexV2 Search if keywords exist MatchRegexV2 Has results? Has results? Set keywords found to layout - setIncident Set keywords found to layout setIncident