Protecting the perimeter with VT Intelligence – Email security

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
One of the most common attack vectors to gain access to your network is through phishing emails with attachments containing malware, usually the first stage in a cyberattack kill chain. By gathering intelligence related to the latest phishing campaigns targeting our country or industry, we can prevent emails with malicious attachments reaching our company’s inboxes. This adds a security layer by reducing the burden on employees and not solely relying on their intuition to identify threats.
For this we will use VT Intelligence to hunt threats targeting our email gateway. Our approach starts with a simple example and we will gradually increase its complexity. For each VT Intelligence query we provide a detailed breakdown of the new added modifiers. We encourage you to test the examples provided and to further explore new queries.
Our first basic query searches for documents (“type:document”) tagged as attachments (“tag:attachment”) and submitted from Spain (“submitter:ES”). We will use the “p” modifier (“p” is short for “positives”, referring to the number of AntiVirus detections) to discard benign attachments. In this case, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for files first seen (“fs” as short for first submission) in the last 14 days (14d+).

Moving to the next stage, we will explore the submissions modifier to identify large-scale attacks, in this case “submissions:50” indicates the minimum number of submissions for a given file which may flag a massive phishing campaign. We use the name of an AntiVirus engine as a modifier to narrow down the results to potential blindspots. In this case, our strategy i

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from VirusTotal Blog

Read the original article: