User Tools

Site Tools


outlook_plugin_phishing_incidents

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
outlook_plugin_phishing_incidents [2019/05/27 14:52]
lucy [Download Office365 Plugin & Deployment]
outlook_plugin_phishing_incidents [2019/09/14 13:47] (current)
lucy [Configuration]
Line 27: Line 27:
 The configuration of the plugin and phishing incidents is done within the settings menu (admin/​settings/​incident-settings) where you can define the settings for: The configuration of the plugin and phishing incidents is done within the settings menu (admin/​settings/​incident-settings) where you can define the settings for:
  
-  * MSI Installer 
   * Custom Rules (create special rules with Regex filters to flag emails)   * Custom Rules (create special rules with Regex filters to flag emails)
   * Score Factors (adjust the scores for specific incident events)   * Score Factors (adjust the scores for specific incident events)
 +  * Abuse
 +  * Autoresponder ​
 +  * Plugin settings
  
-{{ dl_ot3.png?400 }}+{{ :​incident_settings.png?600 |}}
  
 +You can make multiple configurations and use them for different customers or organizational units. Please create a configuration,​ save it and download the corresponding plugin. You can repeat this step as often as you like for other organizations.
  
 +**Plugin settings**: The following settings can be configured (this is a small selection; every LUCY release has its own settings. Please contact us for a full configuration tutorial):
  
-**MSI Installer Settings**The following settings can be configured (this is a small selection; every LUCY release has its own settingsPlease contact us for a full configuration tutorial):​ +{{ :plugin_settings_1.png?600 |}} 
- +{{ :​plugin_settings_2.png?​600 ​|}}
-{{ all_settings_button.png?600 }}+
  
 ==== Appearance Settings ==== ==== Appearance Settings ====
Line 64: Line 67:
 ^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^ ^ Setting Name ^ Description ^ Outlook (MSI) ^ Office365 (XML) ^ Gmail ^
 | Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. |  +  |  +  |  +  | | Send Reports Over HTTP | Enable this option, if you want the Outlook Plugin to send a copy of the reported phishing mail to LUCY (does not include emails from phishing simulations) and additionally add the statistical info about reported phishing emails to LUCY. |  +  |  +  |  +  |
-| Send Reports ​via SMTP | Enable this option, if you want to forward the mail to the predefined mail address via SMTP. If enabled, the plugin will send the report to the email you provided on the same page. That is supposed to be your own email or the email of your security team. Do not enable both options (send reports via HTTP and send reports via SMTP at the same time). Only pick one delivery method. |  +  |  +  |  +  |+| Send Reports ​over SMTP | Enable this option, if you want to forward the mail to the predefined mail address via SMTP. If enabled, the plugin will send the report to the email you provided on the same page. That is supposed to be your own email or the email of your security team. Please do not use this method ​at the same time with HTTP to send reports to LUCY, if you do not want to have duplicated reports. Only pick one delivery method. |  +  |  +  |  +  |
 | Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. |  +  |  +  |  +  | | Use SMTP for receiving incident reports on Lucy| if enabled, Lucy will suppose it has to intercept emails that plugin sends over SMTP, so it configures the local postfix accordingly. All emails received will be added to incidents. If you do not enable this, even if the email configured points to Lucy, nothing will happen - Lucy won't wait for reports over SMTP. |  +  |  +  |  +  |
 | Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing"​ emails over SMTP. If HTTP is disabled as well, Lucy will not get these reports either, as there is no other delivery method configured for these reports. |  +  |  +  |  +  | | Never report phishing simulations| No reports will be sent over SMTP if user reports a simulation email generated by Lucy. So the plugin will send only "real phishing"​ emails over SMTP. If HTTP is disabled as well, Lucy will not get these reports either, as there is no other delivery method configured for these reports. |  +  |  +  |  +  |
 +| Send phishing simulations over HTTP| If the option is enabled, the plugin will send reports regarding phishing simulations to LUCY via HTTP. |  +  |  +  |  -  |
 | Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report:​ True\\ * Add a HTML code <​p>​X-CI-Report:​ True</​p>​ after the body tag within the email body. |  +  |  +  |  -  | | Use X-Headers in Forwarded Emails| If true, the plugin will make the following changes in the email forwarded over SMTP:\\ * Add a new header X-CI-Report:​ True\\ * Add a HTML code <​p>​X-CI-Report:​ True</​p>​ after the body tag within the email body. |  +  |  +  |  -  |
 | Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. |  +  |  +  |  -  | | Inline Message Forwarding | If true, the plugin will clear the body of the forwarded email when sending the report via SMTP. |  +  |  +  |  -  |
 | Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. |  +  |  +  |  -  | | Deeper Analysis Request | If true, the plugin will ask the user whether to request deeper analysis of the reported phishing mail. |  +  |  +  |  -  |
 +| Send reported mail attachment in EML format | Reported email message will be sent as an *.eml attachment. |  +  |  +  |  +  |
 +| Disable Autoresponder for reports | If true, LUCY will not send an automatic email to a user as a reaction to report. |  +  |  +  |  +  |
 | Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. |  +  |  +  |  +  | | Notify of Expired Incidents | Check this to receive notification if there are reports older than 30 days. This notification will be delivered via email. |  +  |  +  |  +  |
  
Line 84: Line 90:
 Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally: Once you configured the plugin in the LUCY UI and install it, you will notice that the settings can be viewed or changed locally:
  
-{{ settings_local_ou.png?300 }} +{{ :​addin_settings.png?​300 ​|}}
  
 **Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to "​@example.com",​ LUCY will not forward those emails externally. **Known Issues**: if you use SMTP for receiving incident reports on Lucy within the incidents, Lucy will intercept all your emails to the domain specified. If you use example.com as a domain for receiving the incidents in LUCY, the internal Postfix server will be listening for this domain for incoming mails. If you now start at the same time a phishing or awareness campaign and try to send your emails to "​@example.com",​ LUCY will not forward those emails externally.
Line 92: Line 97:
 ===== Download Outlook Plugin & Deployment ===== ===== Download Outlook Plugin & Deployment =====
  
-The deployment can be done via MSI file which can be downloaded after the initial configuration under the "​incidents"​ menu (/​admin/​incidents). The plugin installer needs user to have read and write access at least to keys under HKCU (current user).+The deployment can be done via MSI file which can be downloaded after the initial configuration under the "​incidents"​ menu (/​admin/​incidents). ​You can create multiple configurations for different organisation units or clients. For this reason the download offers the possibility to choose the client first: 
 + 
 +{{ out_dl.png?​600 }} 
 + 
 +The assignment to the client can be used in the user interface to sort or filter incidents:​ 
 + 
 +{{ cl_out_a.png?​600 }} 
 + 
 +The plugin installer needs user to have read and write access at least to keys under HKCU (current user). 
 + 
 +{{ download_plugin_1.png?​600 }}
  
-{{ :​download_plugin.png?​600 |}} 
  
 User Wide plugin will affect only one user of a particular PC. User Wide plugin will affect only one user of a particular PC.
Line 172: Line 186:
   * **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard:   * **Dashboard Filter:** LUCY allows you to filter the incoming mails on the dashboard:
  
-{{ dl_ot2.png?600 }}+{{ :status.png?​600 ​|}}
  
   * **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter)   * **Centralized Analysis:** This feature allows you to analyse the incoming mails manually or automatically (see next chapter)
Line 196: Line 210:
   * Incident tab:   * Incident tab:
  
-{{ incident-dashboardssa.png?600 }}+{{ :​incidentstab.png?​600 ​|}}
  
   * Under the campaign statistics (recipients) under the "​reported"​ item:   * Under the campaign statistics (recipients) under the "​reported"​ item:
Line 213: Line 227:
 Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google'​s Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions. Once the mail has been reported by the user it will popup as an incident in LUCY in case you have enabled the HTTP option in LUCY. There are a few automatic analysis routines build into LUCY (e.g. check an IP in Google'​s Safe Browsing Database or Phishtank Database). More checks will follow in the upcoming versions.
  
-LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg file and/or add an incident report. When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:+LUCY will automatically flag mail simulations. All other mails can then be manually verified by the administrator. All mails can be downloaded as .msg or .eml file and/or add an incident report. ​ 
 + 
 +{{ :​downloadmessage.png?​600 |}} 
 +{{ :​downloadmessage2.png?​600 |}} 
 + 
 +When you click on a reported mail you will first see the overall risk score. The overall risk score is a weighted average of the following score from different scans:
  
   * Header Analysis   * Header Analysis
outlook_plugin_phishing_incidents.1558961532.txt.gz · Last modified: 2019/07/25 12:51 (external edit)