outlook_plugin_phishing_incidents
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
outlook_plugin_phishing_incidents [2019/01/16 18:13] – [Upcoming Features] lucy | outlook_plugin_phishing_incidents [2019/08/13 16:24] – [Behavior Settings] lucy | ||
---|---|---|---|
Line 27: | Line 27: | ||
The configuration of the plugin and phishing incidents is done within the settings menu (admin/ | The configuration of the plugin and phishing incidents is done within the settings menu (admin/ | ||
- | * MSI Installer | ||
* Custom Rules (create special rules with Regex filters to flag emails) | * Custom Rules (create special rules with Regex filters to flag emails) | ||
* Score Factors (adjust the scores for specific incident events) | * Score Factors (adjust the scores for specific incident events) | ||
+ | * Abuse | ||
+ | * Autoresponder | ||
+ | * Plugin settings | ||
- | {{ dl_ot3.png?600 }} | + | {{ : |
+ | **Plugin settings**: The following settings can be configured (this is a small selection; every LUCY release has its own settings. Please contact us for a full configuration tutorial): | ||
- | + | {{ :plugin_settings_1.png?600 |}} | |
- | **MSI Installer Settings**: The following settings can be configured (this is a small selection; every LUCY release has its own settings. Please contact us for a full configuration tutorial): | + | {{ : |
- | + | ||
- | {{ all_settings_button.png?600 }} | + | |
==== Appearance Settings ==== | ==== Appearance Settings ==== | ||
Line 64: | Line 65: | ||
^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^ | ^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^ | ||
| Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. | + | + | + | | | Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. | + | + | + | | ||
- | | Send Reports | + | | Send Reports |
| Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. | + | + | + | | | Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. | + | + | + | | ||
| Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing" | | Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing" | ||
+ | | Send phishing simulations over HTTP| If the option is enabled, the plugin will send reports regarding phishing simulations to LUCY via HTTP. | + | + | - | | ||
| Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report: | | Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report: | ||
| Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. | + | + | - | | | Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. | + | + | - | | ||
| Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. | + | + | - | | | Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. | + | + | - | | ||
+ | | Send reported mail attachment in EML format | Reported email message will be sent as an *.eml attachment. | + | + | + | | ||
+ | | Disable Autoresponder for reports | If true, LUCY will not send an automatic email to a user as a reaction to report. | + | + | + | | ||
| Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. | + | + | + | | | Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. | + | + | + | | ||
Line 84: | Line 88: | ||
Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally: | Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally: | ||
- | {{ settings_local_ou.png?600 }} | + | {{ : |
**Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to " | **Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to " | ||
Line 94: | Line 97: | ||
The deployment can be done via MSI file which can be downloaded after the initial configuration under the " | The deployment can be done via MSI file which can be downloaded after the initial configuration under the " | ||
- | {{ dl_ot.png?600 }} | + | {{ download_plugin_1.png?600 }} |
+ | User Wide plugin will affect only one user of a particular PC. | ||
+ | Machine Wide plugin will be available for every user of a PC once it is installed. | ||
+ | Upon installation, | ||
===== Download Office365 Plugin & Deployment ===== | ===== Download Office365 Plugin & Deployment ===== | ||
Line 102: | Line 108: | ||
Outlook 365 sequence: | Outlook 365 sequence: | ||
+ | |||
+ | * **Individual installation** | ||
- go to incidents, press " | - go to incidents, press " | ||
- go to MS Outlook - https:// | - go to MS Outlook - https:// | ||
- | - press " | + | - open any email and press "Get Add-ins" |
- | - click "Click here to add a custom | + | - go to "My add-ins" |
- | - upload the XML you downloaded on step 1 | + | - go to Settings -> Customize actions, select the LUCY Add-In, press " |
- | - go to any email in your inbox, you will see a little | + | - Now in email panel, you will see a monkey |
- press the monkey and hit "Send Report" | - press the monkey and hit "Send Report" | ||
- on Macs the monkey will be visible on the ribbon menu | - on Macs the monkey will be visible on the ribbon menu | ||
- | {{ mac_button.png?600 }} | + | |
+ | {{ : | ||
+ | {{ : | ||
+ | |||
+ | |||
+ | * **Centralized O365 plugin installation for multiple users** | ||
+ | |||
+ | You can install the O365 plugin for multiple users in the Microsoft 365 admin center. | ||
+ | Detailed instruction how to do it is available on the Microsoft website: | ||
+ | |||
+ | https:// | ||
Line 134: | Line 152: | ||
- Download Gmail plugin file from Lucy | - Download Gmail plugin file from Lucy | ||
- | | + | - Open Google Drive in a web browser, select the uploaded file, click on it with the right mouse button and choose "Open with" -> Connect more apps -> Search for "Google Apps Script" |
- | | + | - Right click on the file again, "Open with" -> Google Apps script |
- A new tab will open, there In main menu click " | - A new tab will open, there In main menu click " | ||
- The modal window will open, click "Get ID" in there | - The modal window will open, click "Get ID" in there | ||
- Copy the " | - Copy the " | ||
- | - Go to Gmail web application, | + | - Go to Gmail web application, |
- Enable "Allow add-ons for developers in this account" | - Enable "Allow add-ons for developers in this account" | ||
- Paste add-on' | - Paste add-on' | ||
- In the " | - In the " | ||
+ | {{ : | ||
+ | {{ : | ||
+ | {{ : | ||
+ | {{ : | ||
===== Where do you see the incidents reported by the users? ===== | ===== Where do you see the incidents reported by the users? ===== | ||
Line 153: | Line 175: | ||
* **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard: | * **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard: | ||
- | {{ dl_ot2.png?600 }} | + | {{ :status.png? |
* **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter) | * **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter) | ||
Line 177: | Line 199: | ||
* Incident tab: | * Incident tab: | ||
- | {{ incident-dashboardssa.png?600 }} | + | {{ : |
* Under the campaign statistics (recipients) under the " | * Under the campaign statistics (recipients) under the " | ||
Line 194: | Line 216: | ||
Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google' | Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google' | ||
- | LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans: | + | LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg or .eml file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans: |
* Header Analysis | * Header Analysis | ||
Line 243: | Line 265: | ||
url: https:// | url: https:// | ||
- | email: | + | email: |
message: Thanks. Your help is appreciated! | message: Thanks. Your help is appreciated! | ||
lucyMessage: | lucyMessage: |
outlook_plugin_phishing_incidents.txt · Last modified: 2021/09/24 13:18 by lucysecurity