outlook_plugin_phishing_incidents
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
outlook_plugin_phishing_incidents [2019/05/27 14:52] – [Download Office365 Plugin & Deployment] lucy | outlook_plugin_phishing_incidents [2019/09/14 13:47] – [Configuration] lucy | ||
---|---|---|---|
Line 27: | Line 27: | ||
The configuration of the plugin and phishing incidents is done within the settings menu (admin/ | The configuration of the plugin and phishing incidents is done within the settings menu (admin/ | ||
- | * MSI Installer | ||
* Custom Rules (create special rules with Regex filters to flag emails) | * Custom Rules (create special rules with Regex filters to flag emails) | ||
* Score Factors (adjust the scores for specific incident events) | * Score Factors (adjust the scores for specific incident events) | ||
+ | * Abuse | ||
+ | * Autoresponder | ||
+ | * Plugin settings | ||
- | {{ dl_ot3.png?400 }} | + | {{ : |
+ | You can make multiple configurations and use them for different customers or organizational units. Please create a configuration, | ||
+ | **Plugin settings**: The following settings can be configured (this is a small selection; every LUCY release has its own settings. Please contact us for a full configuration tutorial): | ||
- | **MSI Installer Settings**: The following settings can be configured (this is a small selection; every LUCY release has its own settings. Please contact us for a full configuration tutorial): | + | {{ :plugin_settings_1.png?600 |}} |
- | + | {{ : | |
- | {{ all_settings_button.png?600 }} | + | |
==== Appearance Settings ==== | ==== Appearance Settings ==== | ||
Line 64: | Line 67: | ||
^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^ | ^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^ | ||
| Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. | + | + | + | | | Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. | + | + | + | | ||
- | | Send Reports | + | | Send Reports |
| Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. | + | + | + | | | Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. | + | + | + | | ||
| Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing" | | Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing" | ||
+ | | Send phishing simulations over HTTP| If the option is enabled, the plugin will send reports regarding phishing simulations to LUCY via HTTP. | + | + | - | | ||
| Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report: | | Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report: | ||
| Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. | + | + | - | | | Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. | + | + | - | | ||
| Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. | + | + | - | | | Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. | + | + | - | | ||
+ | | Send reported mail attachment in EML format | Reported email message will be sent as an *.eml attachment. | + | + | + | | ||
+ | | Disable Autoresponder for reports | If true, LUCY will not send an automatic email to a user as a reaction to report. | + | + | + | | ||
| Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. | + | + | + | | | Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. | + | + | + | | ||
Line 84: | Line 90: | ||
Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally: | Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally: | ||
- | {{ settings_local_ou.png?300 }} | + | {{ : |
**Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to " | **Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to " | ||
Line 92: | Line 97: | ||
===== Download Outlook Plugin & Deployment ===== | ===== Download Outlook Plugin & Deployment ===== | ||
- | The deployment can be done via MSI file which can be downloaded after the initial configuration under the " | + | The deployment can be done via MSI file which can be downloaded after the initial configuration under the " |
+ | |||
+ | {{ out_dl.png? | ||
+ | |||
+ | The assignment to the client can be used in the user interface to sort or filter incidents: | ||
+ | |||
+ | {{ cl_out_a.png? | ||
+ | |||
+ | The plugin installer needs user to have read and write access at least to keys under HKCU (current user). | ||
+ | |||
+ | {{ download_plugin_1.png? | ||
- | {{ : | ||
User Wide plugin will affect only one user of a particular PC. | User Wide plugin will affect only one user of a particular PC. | ||
Line 172: | Line 186: | ||
* **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard: | * **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard: | ||
- | {{ dl_ot2.png?600 }} | + | {{ :status.png? |
* **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter) | * **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter) | ||
Line 196: | Line 210: | ||
* Incident tab: | * Incident tab: | ||
- | {{ incident-dashboardssa.png?600 }} | + | {{ : |
* Under the campaign statistics (recipients) under the " | * Under the campaign statistics (recipients) under the " | ||
Line 213: | Line 227: | ||
Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google' | Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google' | ||
- | LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans: | + | LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg or .eml file and/or add an incident report. |
+ | |||
+ | {{ : | ||
+ | {{ : | ||
+ | |||
+ | When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans: | ||
* Header Analysis | * Header Analysis |
outlook_plugin_phishing_incidents.txt · Last modified: 2021/09/24 13:18 by lucysecurity