Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: The Good Phishing Email - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The Good Phishing Email

Readers submit all kinds of malware to the Internet Storm Center: executables, documents, emails, ...

This week I took a look at a phishing email submitted by a reader. Going through the headers, I spotted the following:

X-PHISHING-TEST: This is a phishing awareness test conducted by $COMPANY
X-PHISHING-ID: 123456

I've seen similar headers before: they are used in emails designed to raise security awareness in a company. This email here simulates a phishing email, and these headers are added to flag the email as an awareness exercise, and they are also used to track individual emails.

Headers like these are a bit like the evil bit: there's nothing to guarantee their authenticity ;-). Before informing our reader, I did a whois on the domain name of the phishing URL found inside the email body: it was registered by the same company mentioned in the header, and this is indeed a company specialized in security training and awareness. I took special care not to access the URL, as this could put our reader on a list of people who fell for the phishing attempt.

Thus I informed our reader that it was indeed a phishing email, albeit of a special kind: it was a phishing awareness exercise. Later, he confirmed our findings.

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

170 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!