Phishing is one of the most scalable and successful attack techniques used by threat actors. According to Retruster, phishing accounted for 90% of data breaches in 2019 and the prevalence of phishing attacks is growing by 65% annually.  Now, phishing has become an increasingly bigger threat due to the COVID-19 pandemic. This blog covers detection and investigation techniques security teams can use to maintain visibility into phishing threats.


The first step in detecting phishing threats is ensuring that the proper tools and monitoring are in place. E-mail security solutions like Proofpoint, Cisco IronPort, or Microsoft Advanced Threat Protection provide alerting based on reputation and content inspection, but more granular monitoring of certain behaviors like those listed below can further enhance an organizations ability to detect phishing incidents.

Abusing RSS Feeds

Once a threat actor compromises a mailbox, a common action is to start a social engineering campaign with other e-mail contacts to gain sensitive information or redirect cash-flows to compromised bank accounts. A crucial step in these campaigns is evasion and hiding the e-mail chains the threat actor generates. Evasion can be done by creating e-mail rules to redirect inbound and outbound emails associated with the threat actor’s correspondence to the “RSS Feeds” folder in Outlook. This folder is created by default and seldom used legitimately. As such, it creates the perfect place to hide e-mails sent or received by the threat actor instead of the legitimate user. Monitoring for any mail rules mentioning RSS Feeds can help detect compromised mailboxes being actively leveraged by a threat actor.

External Outlook Mail Re-Direct Policies

Another e-mail data exfiltration method used by threat actors is to create an Outlook redirect policy that forwards all inbound or outbound mail to an external email address. Once this has been implemented, the threat actor will have a copy of all email correspondence involving the compromised account, even if the password is reset and the threat actor loses access. Monitoring and auditing Office 365 management logs for mail redirect policies created that have a recipient domain not associated with your organization can reveal data exfiltration from a compromised e-mail account.

Communications to Throw-Away Domains

A range of e-mail services provide temporary, disposable, e-mail addresses which can be used by a threat actor as an anonymous recipient of sensitive company documents being ex-filtrated from a company email. Generating a list of throw-away domains and monitoring for any emails destined to an address registered with a throw-away domain can provide insight into potential data exfiltration.


When a security team is notified of a probable phishing incident, the next step is determining the scope and severity of the incident so that the threat can be properly contained and remediated. We’ve highlighted some key investigation steps to determine the scope and severity of phishing threats to determine what next action to take and remediate from the environment.

URL Sandboxing

Whether an alert is received from an e-mail security tool, or the original e-mail is reported internally from the end-user, the first step is to investigate the URL included within the e-mail. The most effective method of investigating a URL is using a sandbox tool like Any.Run or URL Scan. Both tools offer free versions and allow you to safely investigate the potentially malicious link. Any.Run allows you to interact with the web page in real-time so you can see what happens if a user fills out the fake login page or downloads the malicious file. Indicators to look out for include content and domain mismatches. If the webpage is a mirror image of a Microsoft login page, but the domain is un-related to Microsoft and isn’t owned by Microsoft – this would indicate a true positive phishing threat.

Web Proxy POST Requests

Once the URL has been investigated to confirm a malicious disposition, the next investigation step is to determine whether the end-user filled out and submitted their credentials. Looking within web proxy event logs for HTTP POST requests from the user who received the phishing e-mail around the incident time frame would indicate that the account is now compromised. To evade detection, threat actors may use multiple HTTP redirects, so any POST requests regardless of if the domain is a direct match to the original email URL should be considered an indication of compromise.

Anomalous Geolocation Logins

If the user is suspected to have their respective credentials compromised, the next step is to determine if the threat actor has accessed the account yet. Leveraging the visibility from Single Sign-On solutions or e-mail authentication logs, you can generate a list of IP addresses an account has authenticated from. Any logins from IP addresses that have an anomalous geo-location, have a poor reputation across tools, or are owned by VPN providers like Private Internet Access may indicate that a threat actor compromised the account credentials and accessed the account.

Staying a Step Ahead with ReliaQuest GreyMatter

Phishing attacks will not be going away any time soon, so it’s continually important to detect, investigate, and mitigate phishing incidents. Security teams may have the tools in place to investigate and respond to these incidents, but these tools have limited integration and correlation, resulting in limited visibility and slower response times.

Enter GreyMatter. ReliaQuest’s platform unifies and integrates existing SIEM, EDR, multi-cloud, and third-party apps to deliver a centralized, transparent view across the environment. With GreyMatter’s investigations, data from multiple technologies is streamlined, aggregated and visualized in a fraction of the time, resulting in faster investigations. Efficiency can be further enhanced with GreyMatter’s automation capabilities – where repeated actions like resetting passwords or disabling accounts can be automated to ensure faster remediation and consistency across incidents.