SOAR Platform / Blog / How SOAR is Used to Handle Phishing Alerts

How SOAR is Used to Handle Phishing Alerts

How Threat Intelligence Protects You

The threat landscape is ever-evolving, but one thing has remained a constant, phishing. No matter what threat intelligence you have, you can still be at risk! Every organization deals with phishing emails, even the most vigilant can get caught with a good phishing email. CyberSponse sat down with one of our experts discussing what you can do, to prevent yourself from swimming with the phishes. We also discuss how our SOAR Solution is used to handle phishing alerts.

How to Identify The Hook

Domain Spoofing:

Keep an eye out for email addresses with Unicode characters. Victims of phishing emails often make the mistake of overlooking small changes. When in fact they’re far from a friendly email! Here is an example:

AWESOME_EMAIL_01@GмAIL.COM looks similar to AWESOME_EMAIL_01@GMAIL.COM, but the “M” is a Unicode м.

Unusual File Types

Attackers often use unusual file types. Watch out for emails with unusual file types as attachments, for example – “.html”, “.js”, “.hta”, “.cpl”. Make sure you filter them out at the mail gateway.

User Training on Secure Business Processes:

Attackers now create sophisticated email chains that look like long conversations between two organizational VIPs. Then send the email to a finance or HR department employee requesting sensitive information or money transfers. Train users to be suspicious of requests like this over email. In addition, you should always request confirmation over another communication medium. Always report emails that are suspicious of the organization’s security team for review.

How You Can Use CyOPs™ to Counter Phishing Emails

What CyOPs™ can do is enrich data about emails that are already considered suspicious. CyOPs™ will then use that enrichment to confirm a suspected email is phishing. Furthermore, exonerate the suspected email using your favorite connector integration in a playbook to automate the email scanning process and take follow-up actions if needed. Follow up actions such as deleting the email based on its decision. Or a user’s decision once presented with the evidence/enrichment that CyOPs™ has collected.

Upon ingesting a suspected email, CyOPs™ will extract indicators from the content of the email. This includes URLs, IP addresses, email addresses, and MD5 hashes for any file attachments. CyOPs™ will query those indicators in a threat intelligence platform. Providing additional context to an analyst or to trigger automation in the form of follow-up actions, for example deleting the email from a user’s inbox.

Upon ingesting a suspected email, our SOAR solution CyOPs™ extracts the email’s attachment for you. CyOPs™ will send the attachment to an organization’s malware detonation sandbox for analysis. The results of the analysis will be presented to an analyst for a decision. Or if a playbook is designed with logic to handle obviously malicious (or obviously safe) attachments. Now, for example, a follow-up action can be automated and the results will be recorded in CyOPs™.


If you enjoyed CyberSponse’s latest article “How SOAR is Used to Handle Phishing alerts”, read the CyberSponse blog for an abundance of information. You will find the latest information on our SOAR Solution, threat intelligence & trending Cybersecurity topics. Schedule a demo today!



December 4, 2019

thank you very nice website article

thank you very nice website article

Leave your comments