detecting-spearphishing-with-email-gateway
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-spearphishing-with-email-gatewayConfigure email gateways to block personalized spearphishing attacks.
- Detects targeted phishing bypassing generic spam filters.
- Integrates with Microsoft Defender, Proofpoint, Mimecast, and Barracuda.
- Analyzes behavioral patterns, URLs, attachments, and impersonation.
- Generates structured alerts for SOC analysts and threat hunters.
SKILL.md
.github/skills/detecting-spearphishing-with-email-gatewayView on GitHub ↗
--- name: detecting-spearphishing-with-email-gateway description: Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, domain: cybersecurity subdomain: phishing-defense tags: [phishing, email-security, social-engineering, dmarc, awareness, spearphishing, email-gateway] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Spearphishing with Email Gateway ## Overview Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint, Mimecast, and Barracuda provide advanced detection capabilities including behavioral analysis, URL detonation, attachment sandboxing, and impersonation detection. This skill covers configuring these gateways to detect and block targeted phishing attacks. ## When to Use - When investigating security incidents that require detecting spearphishing with email gateway - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Access to email security gateway admin console - Understanding of email flow architecture (MX records, transport rules) - Familiarity with SPF/DKIM/DMARC authentication - Knowledge of common spearphishing techniques and pretexts ## Key Concepts ### Spearphishing Characteristics - **Targeted recipients**: Specific individuals, often executives or finance staff - **Researched pretexts**: References to real projects, colleagues, or events - **Impersonation**: Spoofs trusted senders (CEO, vendor, partner) - **Low volume**: Few emails to avoid pattern-based detection - **Urgent tone**: Creates pressure to act quickly ### Gateway Detection Layers 1. **Reputation filtering**: IP/domain/URL reputation scoring 2. **Authentication checks**: SPF, DKIM, DMARC validation 3. **Content analysis**: NLP-based analysis of email body 4. **Impersonation detection**: Display name and domain similarity matching 5. **URL analysis**: Real-time URL detonation and redirect following 6. **Attachment sandboxing**: Behavioral analysis of attachments in isolated environments 7. **Behavioral analytics**: Anomaly detection in communication patterns ## Workflow ### Step 1: Configure Impersonation Protection ``` Microsoft Defender for Office 365: Security > Anti-phishing policies > Impersonation settings - Enable user impersonation protection for VIPs - Enable domain impersonation protection - Add protected users (CEO, CFO, HR Director) - Set action: Quarantine message Proofpoint: Email Protection > Impostor Classifier - Enable display name spoofing detection - Configure lookalike domain detection - Set Impostor threshold sensitivity ``` ### Step 2: Configure URL Protection - Enable Safe Links / URL rewriting - Enable time-of-click URL detonation - Block newly registered domains (< 30 days) - Enable URL redirect chain following ### Step 3: Configure Attachment Sandboxing - Enable Safe Attachments / attachment sandboxing - Configure dynamic delivery (deliver body, hold attachments) - Set sandbox detonation timeout to 60+ seconds - Block macro-enabled Office documents from external senders ### Step 4: Create Custom Detection Rules Use the `scripts/process.py` to analyze email gateway logs, identify spearphishing patterns, and generate custom detection rules. ### Step 5: Configure Alert and Response Actions - Real-time alerts for impersonation attempts - Automatic quarantine for high-confidence detections - User notification with safety tips - Integration with SIEM for correlation ## Tools & Resources - **Microsoft Defender for Office 365**: https://security.microsoft.com - **Proofpoint Email Protection**: https://www.proofpoint.com/us/products/email-security - **Mimecast Email Security**: https://www.mimecast.com/products/email-security/ - **Barracuda Email Protection**: https://www.barracuda.com/products/email-protection ## Validation - Impersonation protection correctly identifies spoofed VIP display names - URL detonation catches malicious links in test phishing emails - Attachment sandboxing detects weaponized documents - Custom rules trigger on known spearphishing patterns - SIEM integration receives gateway alerts
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.