The Phishing Campaign pack enables you to find, create and manage phishing campaigns. A phishing campaign is a collection of phishing incidents that originate from the same attacker, or as part of the same organized attack launched against multiple users.
As phishing campaigns are a number of phishing incidents that are similar to each other, it is important to detect and create the links between them, and look at them as a whole, rather than spend time investigating each incident separately. To see how to set up a phishing incident generally in Cortex XSOAR, go to the Phishing Use Case Tutorial.
The following flow chart describes the architecture of phishing campaigns in Cortex XSOAR:
Included in this content pack is the Detect & Manage Phishing Campaigns playbook. Use this playbook in the Phishing Investigation Generic V2 playbook, or use it in your custom phishing playbook. As part of the phishing incident, the playbook does the following:
- Finds and links related incidents to the same phishing attack (a phishing campaign).
- Searches for an existing Phishing Campaign incident or creates a new incident for the linked Phishing incidents.
- Links all detected phishing incidents to the Phishing Campaign incident that was found or that was previously created.
- Updates the Phishing Campaign incident with the latest data about the campaign, and also updates all related phishing incidents to indicate that they are part of the campaign.
The Phishing Campaign content pack contains several content items.
The FindEmailCampaign automation iterates over previous and existing phishing incidents. By using machine learning, it is able to detect similar phishing incidents. The incidents may be deemed similar if the email subject or email body have textual similarities. The automation outputs the data to the context, which contains details about the incidents that were found to be part of the campaign, as well as populating into incident fields, summary information about the campaign.
The automation can also be customized to meet different criteria (if your email information is mapped into different fields, if your incident type has a different name, or if the similarity by which incidents are searched is too lenient or too strict). It can run to detect phishing campaigns, but to fully utilize it to detect and manage campaigns, use the Detect & Manage Phishing Campaigns playbook.
The IsIncidentPartOfCampaign automation takes the list of incidents detected as similar by the FindEmailCampaign automation, and checks whether one of them is already linked to a Phishing Campaign incident. If so, it outputs the ID of that incident so that all the similar phishing incidents can be linked to it. This automation finds whether there is an existing campaign incident or whether a new incident needs to be created.
The Detect & Manage Phishing Campaigns playbook uses the FindEmailCampaigns automation to detect phishing campaigns.
If incidents belonging to a campaign are detected, the playbook checks whether the incidents are already linked to a Phishing Campaign incident. If so, the currently investigated incident is also added to that campaign incident. If not, a new Phishing Campaign incident is created, and all similar incidents are linked to it.
In addition, as the FindEmailCampaign automation runs on the current phishing incident, the playbook takes the context and incident fields set by the automation, and updates the Phishing Campaign incident with that data, so that it contains the most up to date information about the phishing incidents.
The playbook marks all the similar Phishing incidents as incidents belonging to the detected Phishing Campaign incident. It sets the Part Of Campaign incident field in the phishing incidents, with the ID of the phishing campaign incident:
Phishing Campaign incident type
- Actions on Campaign Incidents
- Campaign Close Notes
- Campaign Duration
- Campaign Email Body
- Campaign Email Subject
- Campaign Email To
- Is Phishing Campaign
- Part of Campaign
- Select Campaign Incidents
After the Detect & Manage Phishing Campaigns runs and finds a phishing campaign, the Phishing incident continues to run as usual. In the Investigation tab of the incident, you can see a link to the Phishing Campaign incident. This incident enables the analyst to view the incident as part of a phishing campaign and take action.
The Phishing Campaign Incident layout contains the following additional tabs:
Campaign Overview tab
Gives the analyst an overview of the different elements of the campaign:
|Campaign Summary||Includes information about the phishing incidents that make up the campaign. Some fields display the number of phishing incidents (in parenthesis) in which every detail of the campaign was observed.|
|Campaign Snippet||View a short version of how the campaign email looks like.|
|Mutual Campaign indicators||Mutual indicators from the phishing incidents that make up the campaign.|
|Dynamic sections||On the right hand side, you can see important information about the campaign incidents, such as Highest Severity, Unique Senders, Campaign Duration, etc. NOTE: If any of the dynamic sections are empty, it's because the context is missing. This is due to running the FindEmailCampaign automation, without the necessary |
|Campaign Canvas||From Cortex XSOAR v6.1, a canvas of the campaign is supported, which can be accessed through the canvas section:|
The Campaign Management tab
Enables the analyst to take batch actions:
|Similar Incidents||Similar phishing incidents are displayed. The columns are the same incident fields in the |
|Notify Recipients||Analysts can select which incident, recipients, etc, to send an email. The recipients from the incidents are auto-populated in the Campaign Email To field. Analysts can write an email and send it to the recipients directly from the layout.|
|Incident Actions||The related incidents can be linked (occurs automatically by default in the playbook), unlinked, closed and reopened.|
- Common Playbooks
- Common Scripts
- Common Types
Customize the playbook by changing the inputs of the Detect & Manage Phishing Campaigns playbook. All of the playbook inputs customize the execution of the FindEmailCampaign automation.