In my previous post To be a Cyber Security Analyst – email security tools I talked about using your email security tool to hunt down malicious emails from a campaign using subject lines and sender addresses. In this post I want to talk about a feature of IronPort (Ciscos email security appliance) and most likely other email security systems called “Web interaction tracking” which will let us use links contained within emails, and patterns within those links, to identify other emails in a malicious campaign, even if the sender and subject lines are different.
What web interaction tracking does is tell you if any of the links that were contained in emails received through your email security system have been clicked. It also tells you if those clicks were successful, or if they were blocked.
So how can this help us identify emails in a campaign with different subject lines and senders? Well as before, let’s use a real life example in a case where I used this technique. (with details omitted for privacy and confidentiality)
So in our case we detected the following malicious email with subject line…
“Mr , Confirmation of your Package 18B5528 Mr , Confirmation of your Package 18B5528”
And the sender was lewis.******@***kahanddavid.com
In the picture above I can see the recipient also sent an automated reply to the sender. Looking into the email details we find the malicious URL…
***********************com/.safetyadvicearea/09220431109-order-receipt (I have not included the full link because I don’t want my site to be flagged up!)
So lets see if we can use this URL to find other malicious emails that were received. To access web interaction tracking with Cisco IronPort, click “Reporting” in the tabs along the top, and then in the drop down menu select “web interaction tracking”. I have circled the options below…
Now select the time range you would like to see the interaction tracking over, using the drop down menu in the top left corner. All you can do here is select the approximate, suspected time range of the malicious email campaign. In my case, I will go back a full week, bearing in mind this will generate many thousands of results.
Due to the large number of results, they will need to be exported to be able to see them and manipulate them properly. Click export at the bottom right…
OK so now we have a spreadsheet filled with every link that was clicked over X period of time, lets search for our link by looking for URL’s containing “order-receipt” (the substring at the end of the URL)
This search shows us multiple other URL’s…
So from this, I notice the pattern that each URL contains this substring “.com/.” the .com/ is usual but the . following the / is not exactly usual. And so, from this observation I search the spreadsheet again for URL’s containing “.com/.” The results of this search show me 8 URL’s in total. Each of these results then allows me to go back into my email search, locate the email containing the link, and once again pivot off of subject lines and senders.
And so that in a nutshell, is how you use web interaction tracking to hunt malicious emails in an email campaign with different subject lines and email senders.