Category: Junk and Phish

Updated: Using the ‘Report Message’ add-in as phishing button in Outlook

Update to Add Phishing Button to Outlook: ‘Report Message’

A few years ago, I blogged about a way for enterprises to report phishing messages by adding an Outlook phishing button.  The message would forward to their IT or Security department quickly and easily without having to pay for a service.  Using that approach , with the click of a button employees can report phishing or suspicious emails and send the full message (with headers) to a mailbox monitored by your IT staff.   Here is a link to the article ‘Add a Report Phishing button in Outlook’.

Since then, Microsoft has made some changes to their junk reporting tools as the collective world is moving toward cloud services, specifically Office 365.  While I don’t have much of an opinion on email platforms, I have noticed that Microsoft’s spam and phishing filtering service has not kept up with the filtering that is happening with Gmail- this may be by design, or just part of Microsoft’s marketing strategy…who knows.   What I do know is that enterprise employees using Outlook and Office 365 have been struggling with Business Email Compromise (BEC), phishing, spam for years, and it’s not getting any better.

Visibility into how spam and phishing make it into our mailboxes is a critical need for any security program.  It increases awareness and allows defenders to rally and protect employees from insidious and crafty emails that occasionally make it to executive and VIP inboxes–the very places they can do the most damage. The world is a dangerous place when it comes to email and digital security.  Worst of all,  IT staff often has no idea about phishing campaign attack trends, and what the bad guys are up to.  Let’s change that.

What’s changed since the Outlook Phishing button?

The Outlook phishing button that I blogged about in a previous article uses Microsoft’s junk email reporting app. For years Microsoft has accepted reported junk emails and used the statistics to fine tune their filters (as long as end users and companies allow that information to leave their network).  While not serving the exact same purpose as the Junk Email Reporter, Microsoft’s ‘Report Message’ add-in is even easier to use and configure; for example, with a simple email rule in Office 365 you can send the full message, headers and all, directly to your IT or Information Security group, or a shared mailbox that is monitored by your enterprise defenders (makes the sound like heros doesn’t it).  It’s a little different spin on the ‘Phishing Button’ in Outlook, but can be configured to do essentially the same thing–serve as an early warning sign for your IT staff when used by security aware employees.  The Report Message add-in also has the added benefit of protecting you in Outlook Web too, something the simple Outlook Phish Button could never do.

Outlook Report Message

Outlook’s New Report Message Button

How to Report phishing messages to your IT department

The following instructions will work for Outlook and/or Outlook web users who use the Office 365 cloud service, personal or enterprise!

Here’s what you need to do:

1. Install the Report Message add-in from Microsoft’s AppSource

Here is a link for download.  https://appsource.microsoft.com/en-us/product/office/wa104381180

There are ways to push this out globally and I have more information below, but for now just download to your personal Outlook instance so you can test in your environment.  Once you go through all the steps defined here and determine it is working, roll it out to the rest of the company.

2. Create Online Exchange rule to blind-copy (Bcc) your internal phishing report mailbox.  

You must be an Exchange Online Administrator for your organization to complete this task.   If you are not, contact your IT department and show them this article, they will be impressed that you care enough to send them something that will help them, instead of just clicking the phishing email and going on with life… You will be the hero of the day!

  1. In the Exchange Admin Center, choose ‘mail flow > rules’
  2. Choose + > Create a new rule
  3. In the name box, type a descriptive name, such as ‘Phish report rule’, or as Microsoft suggests, ‘Submissions’…huh?   Anyway, you make the call….
  4. In the Apply this rule if list, choose ‘the recipient includes…’
  5. In the specify words or phrases screen, add ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ and choose ‘ok’

  6. In the ‘Do the following…’ list, choose Bcc the message to…

7. Add whoever you want to get the phishing messages in your organization then choose ‘OK’

  • It can be a person, email group or shared mailbox.  

8. Choose Audit this rule with severity level, and choose Medium

9. Under Choose a mode for this rule, choose Enforce.

10. Click ‘Save’

  (The configuration may take a few hours to sync across Office servers, have patience).

 3. Test your anti-phishing Report Message button!

Now, when you are ready to test, open a spam or phishing email and click the Report Message button!!  If it is working correctly, the email will be moved to your Junk E-mail folder, and a full copy of the entire email message, including headers will be sent to the mailbox of your you chose in step 7 above.  Woohoo!

 

What if I don’t want to send junk reports to Microsoft?

If you are the cynical  type and are suspicious of sending any information from your network, (including junk mail to Microsoft), just create a new Exchange Online rule that blocks any message sent to ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ from leaving your Exchange service.   If the rule is run after the bcc rule it should  still work to Bcc the mail to your internal staff.

Here’s a guide to create the rule that blocks reporting spam to Microsoft:

https://practical365.com/exchange-server/using-transport-rules-to-block-outbound-email-to-untrustworthy-domains/

I personally haven’t tried this, but seems like it should work.  If you have, let us know your results or post back if you find a better way.

 

Additional reading–Next Step toward hero status: Enterprise Install

Yep, sometimes Microsoft stuff works great, this is one of those times.  They make this super-easy,  the following instructions were copied from

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-the-report-message-add-in

Get and enable the Report Message add-in for your organization

Important

You must be an Office 365 global administrator or an Exchange Online Administrator to complete this task. In addition, Exchange must be configured to use OAuth authentication To learn more, see Exchange requirements (Centralized Deployment of add-ins).

1 Go to the Services & add-ins page in the Microsoft 365 admin center.

Report Message enterprise install

2. Choose + Deploy Add-in.

report message

3. In the New Add-In screen, review the information, and then choose Next.

message reporter phishing button add-in

4. Select I want to add an Add-In from the Office Store, and then choose Next.

message reporter phish button add-in

5. Search for Report Message, and in the list of results, next to the Report Message Add-In, choose Add.

phish button enterprise install

6. On the Report Message screen, review the information, If it looks good, choose Next

phishing button enterprise install

7. Specify the user default settings for Outlook  Here you can decide whether you want your end users to have a mandatory install, or make it optional.  I personally like the Mandatory setting 🙂    Choose Next.

Phish button message reporter options

8. Specify user or group to get the Report Message Add-in, and then choose Save.

Report Message phish options

Now in Outlook your users will have an icon that looks like this:

Outlook Report Message 'phishing' button

In Outlook web, you should see something like this:

 

If you followed the directions carefully, you should now have a enterprise-wide tool to report phishing to your internal team.  You did it! now get on to reporting those bad emails!

Post a reply and let me know if it helped you and your organization, I’d love to hear any success stories!

 

Additional information:

Using the Report Message Add-in (Microsoft)

 

 

Fake and Look-alike Domains used in Phishing

What’s a look-alike domain?

Hackers sometimes use look-alike domains to confuse victims.  Look-alike domains look very similar to common domains, but are actually completely different.  An example is lbm.com vs. ibm.com  –notice the ‘l’ instead of ‘i’. The strategy is rather simple; divert the end-user to the look-alike domain while waiting for them to enter their credentials- them steal them. Look-alike domains can be purchased cheap from many domain registrars and spun into production quickly, often by bad guys. 

Many phishing emails contain malicious links to look-alike domains.  They are so common that learning to recognize them should be a part of every security awareness program–but let’s get real for a minute; someone in the organization is going to get tricked and click something they shouldn’t.  So how do companies protect themselves when we all know ‘people click stuff‘? It’s one of the few hard-and-fast digital security facts you need come to grips with.

How to defend against look-alike domains (and people who click stuff)

  • Training 

    •  Don’t skimp here, over communicate the dangers, find a partner who can help with cloud based training, or even internal phishing campaigns to drive the point home.  Yes, training is good, but even 95% good is 5% bad, and the 5% bad is 100% bad — and that’s about the end of my math skills.  
  • Buy look-alike domains

    • You’re probably wondering, “How do I even know what to buy, how is that even possible?”  Simple–use the opensource tool called URLCrazy to find the domains that could potentially be used against you, and then purchase the domain names!  Problem solved.    Okay, okay….  Since security teams and IT both have a limited budget, we need another solution, and a free one would be awesome.   How ’bout we just find the domains in URLCrazy and block end-users from clicking on them?
  • Block look-alike domains

    • Fire up a copy of Kali LInux and run URLcrazy from the command line,  or for an online version, browse over to https://suip.biz/?act=urlcrazy and enter a domain name.  (That website has an online look-alike domain name generator using URLcrazy–very handy tool but use for good, not evil!)   You will get a long list of look-alike domains that someone could fraudulently use.   Here is an example of the first few from ‘nerdosaur.com’.
      URLcrazy results

      URLcrazy

      Just for kicks, run URLcrazy for microsoft.com or facebook.com and check out the data on the look-alike domains…..it’s somewhat terrifying but educational.

    • Take the output from URLcrazy and import the look-alike domains to your internal DNS server.  Redirect the IP addresses of each to 127.0.0.1.  If you want to get real fancy, point them to an internal web server where you have a landing page that offers security awareness training or points to this blog! They will be protected from browsing to the bad domains, they’ll love it and my hit counters will go way up!  What’s not to love?

So, now that you’ve saved your world from one more techno-peril, help me teach everyone to be paranoid.

don't click

 

 

 

 

Dissecting a successful phishing attack

After several years of successful defense against constant phishing attacks, a company I represent finally fell victim.  An email link was clicked, credentials stolen, account compromised and money originally we were owed fell into the wrong hands.   Too often I’ve read all about this type of scam thinking of ways we can avoid problems, but after it happened I was truly struck by the competency of the attacker(s) and their ability to think and act quickly.  One moment of weakness and a click on the part of one employee set the whole fiasco in motion.

The company was an indirect victim here, one of our accounts was used as a ‘vehicle’ for the scam.   The actual victim was a company that we do business with.   The attacker, after stealing the credentials of our employee, used them to log in to the cloud email account and began reading the emails.  (We use a cloud-based system for email access, let’s just say you’ve heard of them and probably use them too).   The attacker found a financial exchange about to take place and inserted themselves into the email conversation, impersonating our end-user.  Email rules were set up to redirect any messages from the victim to an unseen folder, instead of the inbox.  Our employee saw no communication at all from the victim.  Any sent messages from the attacker, or any email trail was quickly deleted by the attacker so we would not become suspicious.  So, in reality our employee was using email without a clue something was going on with another login to the account.

The attacker then emailed the victim (within a few hours of the initial phish) with a story that our wire address had changed because of some ‘suspicious activity’ or ‘bad checks’ on our bank account, and quickly gave them a new bank routing number and other pertinent info. There was a ‘slight’ change in the look of the email signature (Red Flag #1), but other than that it looked legit.   The new bank was in a middle-eastern country (Red Flag #2) where we do not do business (Red Flag #3).

The victim had trouble with the new banking info, and could not use it.  The attacker kept pushing and pushing (red flag #4) to have them try again.  Finally the victim replied via email (again intercepted by the bad guy).  They were getting suspicious at this point and the whole thing looked like it was going to come crashing down.  They asked if there was someone else in the finance department they could talk to about this bad banking information.  (Nice work! ask to talk to someone else at the company!)

With me so far?? This is where it get’s interesting.

The attacker had another tool in their arsenal aside from being shameless, deceitful and good at social engineering– a look-alike domain.   A look-alike domain is an internet domain that looks very similar to another domain. For example moor.com looks a lot like rnoor.com, but notice the ‘m’ is replaced by a ‘r and n’.   In this case the attacker registered the look-alike domain around the same time they started phishing–probably fully aware it could come in handy to impersonate another employee in our company.

Another fake email was sent from this look alike domain, spoofing an employee associated with our finance department giving full validation to the lies, and offering a different bank and routing number, this time a domestic bank.  Replies to the new spoofed address went to the look alike domain (Red Flag #5–check your reply-to addresses!), keeping everyone right where they wanted them, clueless.   This time the bank info was good, and money was wired.

Nearly a week had gone by when our employee was in his email and noticed a draft message go to their outbox, then disappear.   He became suspicious and called the help desk, who contacted security guy, who had them change passwords immediately.  That kicked out the bad buy, but was just the start of the incident response, cleanup, and post-mortem.  I immediately suspected a phishing attack because credentials are so easily stolen that way.

Getting the money back after the wire was improbable, as too much time had gone by before the victim became aware of the scam.  Authorities were contacted (IC3 and FBI).  My association with the InfraGard (www.infragard.org) was truly helpful in this situation, as that gives you instant recognition from the FBI, and direct access to a Special Agent who works these types of cases.   The report that I sent will be compared to others and maybe some of the information that I sent will help catch this thief.

Looking back, there were many ways this could have been prevented.  Doing all of your business through email, especially financial business is dangerous.  Always use the phone to verify financial info, never email.  Have a verification process and safe procedure for sending money via wire, this will help protect against phishing.  Watch for pushy and/or emotional emails demanding you hurry, try again or anything to drive your emotions up, because that is where your logic goes down.  Again, I know the technology is almost 150 years old, but it still works!  Pick up the phone and call!

Stop Clickers with Stickers! Security Awareness improvement for FREE!

Let’s see now, over the last several years working in IT Security and Security Awareness a few things have become crystal clear;

  1. Technologies are super easy to patch, you just need a process and a little buy-in.  After patching the risk is minimal.
  2. People can’t be patched, even though sometimes we really wish they could be.   After security awareness training the risk is still present, albeit hopefully minimized a degree.
  3. People need to be aware of security at all times, it has to become part of the business culture. Worrying about end users is what keeps me up at night–our business is one click away from losing brand reputation, money, private information or even (swallow hard) the IT Security guy’s job.  Generic security awareness is not good enough.

What if we security practitioners could keep security on the minds of employees all the time?  What if there was an easy way to keep people focused and thinking about the dangers of phishing emails, malicious websites and generally being more pro-security?   Sounds great right?  Where do I sign up?    Haha!  If it were only that easy!

Combining that need with some of the motivators I’ve experienced over the years gave me an idea;  What if the ‘free stuff’ phenomenon could actually drive down my phishing click rate?  Jeez…if it worked it would solve one of my main problems with security awareness, (the ‘awareness’ part for about 10% of end users)   and do it in a way that is positive all around!    Although in it’s infancy, I’ve been experimenting with this new method of ‘security through free stuff’.  Here’s how it works;

At security and IT conferences, I collect as much schwag (free promo materials) as I can, looking especially for the nice stuff (no offense to the pen-peddlers, but you guys really gotta up your game).  You know, Tshirts, cool laptop stickers, flashlights, rocketbooks, light sabers and other geeky stuff and gadgets.  Sign up for it all!  (then screen your calls for the next year…)  Then when I get back to the office, I give that stuff away like it were Aunt June’s fruitcake–but only after sneaking in a learning experience to unknowing end-users.   For example:

A recent email I sent to the IT group — ‘You can win this new cloud shaped stress ball, laptop sticker, pair of earbuds and a multi device charger if you answer the following question:   “According to Verizon’s 2017 Data Breach Executive Report ,  what percentage of breaches were caused by weak or stolen passwords?”‘

Have the target audience send you the answer and raffle the schwag, keep track of the names in a txt file, then paste them in and randomly select a winner on a random selector site like http://www.miniwebtool.com/random-name-picker/      In this case there are actually two answers, although they are very close to each other–probably a rounding error!   But for those who give two answers, you have to assume they read the article fairly closely.  winning…Winning…..

Another idea is to have people reply with one security issue they have noticed in their work environment, and have each offer a possible solution to mitigate it.   This could work great for an IT team, because we all know of one area or another where there is a hidden risk that others may not be aware of.  It also give the security guy information into the inner working of every IT employee, including the risks and potential threats in their environment.  Mmuuhhaahahah!  Now you are getting it, right?

The great thing about this is it’s fun, it’s free and it disarms those people who are already grumpy about security by giving them something of apparent value for FREE!  The psychology behind this is fascinating.  Check out Rick Paulas’s column entitled “The Strange Effects of Free Stuff; How the allure of free tricks your mind into accepting irrational options”   In that article he talks about the ‘Zero Price Effect’.

“When people are offered something for free, they have this extreme positive reaction that clouds their judgment.”

Haha!  Clouds their judgment!  Hey, if that helps someone to NOT CLICK something, I’m all for it!

 

Hey y’all…If you’ve made it this far, maybe you’ve got an idea or two to share!  Share your ideas and suggestions below!  Or if you would just like to send me some schwag and help the cause, contact me privately: nerd at nerdosaur.com!

 

Add a Report Phishing Button in Outlook

Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!

  • NOTE:  This article has been updated with an additional easier option for building an enterprise-wide phishing button.  Check it out here.  

PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations.   The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking.  Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages.   I wanted the same thing for my security program, but we didn’t contract with PhishMe,  so I needed another solution.   I didn’t want to enlist a developer to create an Outlook add-in button, so  I came up with a relatively easy solution.   If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise.   Below are the steps you can use to reproduce a  ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails.   It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.

 

  1. Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at  https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

  1. Open Outlook and verify you now see the junk options in the ribbon.

Outlook phish button

 

 

 

 

 

  1. phishing outlook button 3Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab.  Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.

 

4. Next, select the  ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button.    Rename it and give it an icon of your choice.  Now you should have a new icon in your main mailbox view that you can use to report junk.  By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy  (bcc) an email address of your choice.  the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message.   This works great for sending to an IT department or a security operations center (SOC).

outlook phish 4

 

 

 

 

Your Outlook ribbon should now look similar to this:

outlook phish button toolbar

 

How to report phishing to your IT department across the enterprise.  If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key.  (Typical registry hack warning here, don’t do this if you don’t know what you are doing…)  You can also copy the following lines and create your own .reg file, I’ll leave that up to you.   Replace the email address in the code with the address that will get a copy of the message.

“Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”phishy@yourdomainhere.com”

 

 

  1. (Optional) Open up an email in outlook.  Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too.  Now repeat steps 3-6 to create a button in the mail-read view if you choose.

 

  1. Now that you have created the new buttons, test them to make sure they work using an email address of your choice.

 

  1. If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice.  Make sure the following three requirements are met on your PC’s and you should be good to go:
    1. Verify that the junk email reporting add-in is installed.
    2. Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
    3. From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI  in C:\Users\%username%\AppData\Local\Microsoft\Office\     These files contain the ribbon info that you just created.  You can copy them to the user’s profiles, overwriting the files that are currently there.   *note, this may delete previously created custom ribbons if they exist.   It may be a good idea to rename the old files first.
    4. Restart outlook

I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in.  These instructions will work with Windows 7 and office 2010, and 2013.    It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails.  It also empowers the end-user.  They are now becoming part of the solution, instead of part of the problem.

I really like to hear from you!  Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!

If you want to better understand the adversary, Brian Krebs has a great book called Spam Nation.  I highly recommend a read through.  The book is available through Amazon and the affiliate link is below.

NOTE:  This article has been updated with an additional easier option for building an enterprise-wide phishing button.  Check it out here.