Search and destroy phishing attempts before a compromise

Filed in Malware, Microsoft Exchange 2010, Microsoft Exchange 2013, PowerShell, SecurityTags: , , , ,
Share this solution!

It seems like I do a search and destroy to find and delete phishing attempts before they are opened–and possibly believed–by the end users at least once a month. We all see random phishing attempts using the names of banks and social media giants all the time. Most anti-spam software catches those easily. Unfortunately, if you have more than a few thousand users, you are probably big enough for someone to try crafting more targeted attacks against your organizations. Although most of these targeted phishing attacks are of the same spectacularly inept quality as the more run of the mill variety, some of them are very clever. (Not that it matters all that much. Despite years of training and at least a 7th grade education, some email users still fall for “Please do click on link to verfyi your account informations.” Sigh.) A few of these attempts are bound to sneak past your multi-layered anti-spam filters no matter what you do, and it’s important to yank them from the end user’s mailboxes as quickly as possible before someone gives away their username and password.

Here’s the cmdlet I run to search and destroy phishing attacks that get past all our other filters:

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery “Subject:’Company E-Mail Upgrade’ and From:’helpdesk@company.com'” -TargetMailbox “jay.test” -TargetFolder “Phishing-DeletedMessages” -LogLevel Full -DeleteContent

This cmdlet searches all mailboxes on the system for messages that meet the SearchQuery value and then moves them to the target mailbox, deleting them from the source mailbox. It’s critical that you get the SearchQuery value right. If you aren’t very careful, you could delete a lot of email that you shouldn’t. Here are some common values you can include in your SearchQuery:

  • Subject: The message subject. Enclose in single quotes.
  • From: The sender. Enclose in single quotes.
  • To: A recipient in the To field. Enclose in single quotes.
  • Cc: A recipient in the Cc field. Enclose in single quotes.
  • Sent: The date the message was sent. Do not enclose in single quotes.
  • Attachment: The name of an attachment. Enclose in single quotes.

You can combine these values in different ways using logical operators. Here are a couple more examples of strings I’ve used for the SearchQuery value:

  • “Subject:’Company upgrade’ and To:’bob@company.com'” – Searches for any messages with bob@company.com in the To field and “Company upgrade” in the Subject field.
  • “Subject:’Reset your password’ and (From:’phish@qahoo.co.nl’ or From:’phish@qmail.co.ch’)” – Searches for any messages with a subject of “Reset your password” from either phish@qahoo.co.nl or phish@qmail.co.ch.

Be very careful with the subject, recipient, and sender values. If you search for all messages with a subject of “Company” you will also get all messages with the subject “Company picnic” and “Company meeting – mandatory!” The SearchQuery assumes there is a wildcard at the end of the text strings. You might want to test your search against a single mailbox before running it against the entire system.

Tip: You can also use this cmdlet to remove a mass, derogatory email sent by a disgruntled, soon-to-be ex-employee.

And yet another caution: If your mailbox servers haven’t completed indexing all instances of the message you want to find and delete, guess what? It won’t find and delete them. In a small Exchange organization, that’s not a big deal. If you have thousands or tens of thousands of mailboxes, it might take some time.

You could probably do all of this using the Discovery features of the ECP, but I find the PowerShell interface to be much easier to understand and faster to use.

 
Click to view/hide

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by sweet Captcha

 
Click to view/hide