Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

"Blocked" Does Not Mean "Forget It"

Published: 2018-05-24
Last Updated: 2018-05-24 07:16:52 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Today, organisations are facing regular waves of attacks which are targeted... or not. We deploy tons of security controls to block them as soon as possible before they successfully reach their targets. Due to the amount of daily generated information, most of the time, we don’t care for them once they have been blocked. A perfect example is blocked emails. But “blocked” does not mean that we can forget them, there is still valuable information in those data.

Tons of emails are blocked by your <name_your_best_product> solution and you’re feeling safe. Sometimes, one of them isn’t detected and is dropped in the user’s mailbox but you have an incident handling process or the user simply deletes it because he/she got a security awareness training. Everybody is happy in this wonderful world.

What if your organization was targeted and spear phishing emails were received and (hopefully) blocked? A good idea is to review those blocked emails on a daily basis and to search for interesting keywords that could indicate a specifically crafted message targeting the organization. 

Interesting keywords to search for could be:

  • Your domain names

  • Your brands

  • Terms related to your business (health, finance, government, …)

  • ...

If such messages are detected, they could be a good indicator that something weird will happen and to take appropriate actions like raising your SOC DEFCON[1] level or proactively warn users that spear phishing campaigns are ongoing.

Stay safe!


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Track naughty and nice binaries with Google Santa
May 23rd 2018
1 day ago by Remco (0 comments)

Malware Distributed via .slk Files
May 22nd 2018
2 days ago by Xme (2 comments)

Something Wicked this way comes
May 21st 2018
2 days ago by Rick (0 comments)

DASAN GPON home routers exploits in-the-wild
May 20th 2018
3 days ago by DidierStevens (5 comments)

Malicious Powershell Targeting UK Bank Customers
May 19th 2018
5 days ago by Xme (2 comments)

Anatomy of a Redis mining worm
May 18th 2018
5 days ago by Remco (0 comments)

Business Email Compromise incidents
May 18th 2018
6 days ago by Mark (2 comments)

Insecure Claymore Miner Management API Exploited in the Wild
May 18th 2018
6 days ago by Johannes (0 comments)

PCI DSS version 3.2.1 is out
May 18th 2018
6 days ago by Mark (0 comments)

View All Diaries →

Latest Discussions

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
1 week ago by Remco (0 replies)

MinerPool Threat Feed info
created Apr 4th 2018
1 month ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/
created Mar 29th 2018
1 month ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
2 months ago by Anonymous (2 replies)

Possible new worm activity
created Mar 13th 2018
2 months ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
10 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
9 months ago by Johannes (16 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
8 months ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
5 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
9 months ago by Xme (2 comments)