Skip to main content

Phishing Campaign

The Phishing Campaign pack enables you to find, create and manage phishing campaigns. A phishing campaign is a collection of phishing incidents that originate from the same attacker, or as part of the same organized attack launched against multiple users.

As phishing campaigns are a number of phishing incidents that are similar to each other, it is important to detect and create the links between them, and look at them as a whole, rather than spend time investigating each incident separately. To see how to set up a phishing incident generally in Cortex XSOAR, go to the Phishing Use Case Tutorial.

How It Works#

The following flow chart describes the architecture of phishing campaigns in Cortex XSOAR:

image

Included in this content pack is the Detect & Manage Phishing Campaigns playbook. Use this playbook in the Phishing Investigation Generic V2 playbook, or use it in your custom phishing playbook. As part of the phishing incident, the playbook does the following:

  • Finds and links related incidents to the same phishing attack (a phishing campaign).
  • Searches for an existing Phishing Campaign incident or creates a new incident for the linked Phishing incidents.
  • Links all detected phishing incidents to the Phishing Campaign incident that was found or that was previously created.
  • Updates the Phishing Campaign incident with the latest data about the campaign, and also updates all related phishing incidents to indicate that they are part of the campaign.

In This Pack#

The Phishing Campaign content pack contains several content items.

Automations#

  • FindEmailCampaign Automation

    The FindEmailCampaign automation iterates over previous and existing phishing incidents. By using machine learning, it is able to detect similar phishing incidents. The incidents may be deemed similar if the email subject or email body have textual similarities. The automation outputs the data to the context, which contains details about the incidents that were found to be part of the campaign, as well as populating into incident fields, summary information about the campaign.

    The automation can also be customized to meet different criteria (if your email information is mapped into different fields, if your incident type has a different name, or if the similarity by which incidents are searched is too lenient or too strict). It can run to detect phishing campaigns, but to fully utilize it to detect and manage campaigns, use the Detect & Manage Phishing Campaigns playbook.

  • IsIncidentPartOfCampaign Automation

    The IsIncidentPartOfCampaign automation takes the list of incidents detected as similar by the FindEmailCampaign automation, and checks whether one of them is already linked to a Phishing Campaign incident. If so, it outputs the ID of that incident so that all the similar phishing incidents can be linked to it. This automation finds whether there is an existing campaign incident or whether a new incident needs to be created.

Playbooks#

Detect & Manage Phishing Campaigns

The Detect & Manage Phishing Campaigns playbook uses the FindEmailCampaigns automation to detect phishing campaigns.

If incidents belonging to a campaign are detected, the playbook checks whether the incidents are already linked to a Phishing Campaign incident. If so, the currently investigated incident is also added to that campaign incident. If not, a new Phishing Campaign incident is created, and all similar incidents are linked to it.

In addition, as the FindEmailCampaign automation runs on the current phishing incident, the playbook takes the context and incident fields set by the automation, and updates the Phishing Campaign incident with that data, so that it contains the most up to date information about the phishing incidents.

The playbook marks all the similar Phishing incidents as incidents belonging to the detected Phishing Campaign incident. It sets the Part Of Campaign incident field in the phishing incidents, with the ID of the phishing campaign incident:

image

Incident Types#

Phishing Campaign incident type

Incident Fields#

  • Actions on Campaign Incidents
  • Campaign Close Notes
  • Campaign Duration
  • Campaign Email Body
  • Campaign Email Subject
  • Campaign Email To
  • EmailCampaignSnippets
  • EmailCampaignCanvas
  • EmailCampaignMutualIndicators
  • EmailCampaignSummary
  • Is Phishing Campaign
  • Part of Campaign
  • Select Campaign Incidents

Layouts#

After the Detect & Manage Phishing Campaigns runs and finds a phishing campaign, the Phishing incident continues to run as usual. In the Investigation tab of the incident, you can see a link to the Phishing Campaign incident. This incident enables the analyst to view the incident as part of a phishing campaign and take action.

image

The Phishing Campaign Incident layout contains the following additional tabs:

Campaign Overview tab

Gives the analyst an overview of the different elements of the campaign:

image

Layout SectionDescription
Campaign SummaryIncludes information about the phishing incidents that make up the campaign. Some fields display the number of phishing incidents (in parenthesis) in which every detail of the campaign was observed.
Campaign SnippetView a short version of how the campaign email looks like.
Mutual Campaign indicatorsMutual indicators from the phishing incidents that make up the campaign.image
Dynamic sectionsOn the right hand side, you can see important information about the campaign incidents, such as Highest Severity, Unique Senders, Campaign Duration, etc. NOTE: If any of the dynamic sections are empty, it's because the context is missing. This is due to running the FindEmailCampaign automation, without the necessary fieldsToDisplay arguments, or without setting the context to the Phishing Campaign incident. This should work out of the box if the Detect & Manage Phishing Campaigns playbook is used.
Campaign CanvasFrom Cortex XSOAR v6.1, a canvas of the campaign is supported, which can be accessed through the canvas section:image

The Campaign Management tab

Enables the analyst to take batch actions:

image

Layout SectionDescription
Similar IncidentsSimilar phishing incidents are displayed. The columns are the same incident fields in the fieldToDisplay input in the Detect & Manage Phishing Campaign playbook, so analysts can decide what to see about their related incidents.
Notify RecipientsAnalysts can select which incident, recipients, etc, to send an email. The recipients from the incidents are auto-populated in the Campaign Email To field. Analysts can write an email and send it to the recipients directly from the layout.
Incident ActionsThe related incidents can be linked (occurs automatically by default in the playbook), unlinked, closed and reopened.

Before You Start#

Required Content Packs#

  • Base
  • Common Playbooks
  • Common Scripts
  • Common Types
  • Phishing

Pack Configuration#

Customize the playbook by changing the inputs of the Detect & Manage Phishing Campaigns playbook. All of the playbook inputs customize the execution of the FindEmailCampaign automation.