{"id":116304,"date":"2020-07-22T18:00:13","date_gmt":"2020-07-23T01:00:13","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=116304"},"modified":"2020-08-03T07:20:23","modified_gmt":"2020-08-03T14:20:23","slug":"cortex-phishing-emails","status":"publish","type":"post","link":"https:\/\/www2.paloaltonetworks.com\/blog\/2020\/07\/cortex-phishing-emails\/","title":{"rendered":"Block COVID-19 Phishing Emails at Machine Speed"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">With COVID-19 now a global pandemic, the rapid expansion of the remote work environment has opened up new challenges for enterprises. The attack surface is growing, providing lucrative opportunities for those who want to exploit this new norm. Hackers are accelerating their attack campaigns with original and proven techniques \u2013 often designed to <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/07\/unit-42-cybercrime-gold-rush\/\"><span style=\"font-weight: 400;\">take advantage of the pandemic<\/span><\/a><span style=\"font-weight: 400;\">. Whether registering new websites with coronavirus-related names or sending COVID-19 phishing emails, cyber criminals aim to lure an anxious populace into a new web of attacks.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Enterprises want to prevent these attacks and protect their remote workforce. Unfortunately,\u00a0 security teams are overwhelmed with a surge of alerts, managing an influx of requests from other departments and working with scarce and remote siloed teams. They need more resources, streamlined processes and automation to take care of mundane tasks, prioritize tasks and incidents, and focus on malicious and relevant threats to their environment.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Hackers are smart and lazy. They want the most bang for their buck. Phishing is the easiest way to target victims who are always looking at the next big pandemic update. What's better than crafting a coronavirus-themed email that appears to be coming from the CDC?<\/span><\/p>\n<figure id=\"attachment_116305\" aria-describedby=\"caption-attachment-116305\" style=\"width: 807px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"807\"><span class=\"ar-custom\" style=\"padding-bottom:57.5%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"size-full wp-image-116305 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/07\/email1.png\" alt=\"This sample COVID-19 phishing email presents itself as orginating from the Centers for Disease Control and Prevention and includes language that attempts to take advantage of users' desire for updates about the pandemic. \" width=\"807\" height=\"464\" \/><\/span><\/div><figcaption id=\"caption-attachment-116305\" class=\"wp-caption-text\">Figure 1: COVID-19 phishing email example<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">As a security analyst, you can expect a lot of these types of emails flooding your employees\u2019 inboxes across the enterprise. To put things in perspective, Google reported <\/span><a href=\"https:\/\/www.theverge.com\/2020\/4\/16\/21223800\/google-malware-phishing-covid-19-coronavirus-scams\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400;\">18 million COVID-19 related emails<\/span><\/a><span style=\"font-weight: 400;\"> in a few weeks in April 2020. It is not humanly possible to deal with this type of volume manually. There needs to be an automated way to collect, correlate, verify and document these incidents.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">This is where Cortex XSOAR <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2020\/04\/cortex-monitoring-remote-user-activity\/\"><span style=\"font-weight: 400;\">automated playbooks<\/span><\/a><span style=\"font-weight: 400;\"> can help. Automated phishing playbooks are among the most popular use cases for Cortex XSOAR. They\u2019re in use in our own security operations center, <\/span><a href=\"https:\/\/www.paloaltonetworks.com\/resources\/use-case\/how-a-security-company-does-security\"><span style=\"font-weight: 400;\">reducing our phishing response time from 30 minutes down to about 10 seconds<\/span><\/a><span style=\"font-weight: 400;\">. Security teams can save time and automate their COVID-related incident workflows to run at machine speed. Employees submitting suspicious emails to infosec teams will trigger a COVID-specific playbook that will extract all the relevant indicators like URLs, domains and links. Cortex XSOAR will then compare these indicators with internal and external repositories, tag them and add them to external blocklists. Finally, Cortex XSOAR provides additional context by ingesting active threat intel feeds, making it easier and faster to respond. It's like operating a factory assembly line, where various jobs are running, providing immediate action with speed and scale.\u00a0<\/span><\/p>\n<figure id=\"attachment_116318\" aria-describedby=\"caption-attachment-116318\" style=\"width: 900px\" class=\"wp-caption aligncenter\"><div style=\"max-width:100%\" data-width=\"900\"><span class=\"ar-custom\" style=\"padding-bottom:52.67%;\"><img loading=\"lazy\" decoding=\"async\"  class=\"wp-image-116318 lozad\"  data-src=\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/07\/datasources.png\" alt=\"The diagram shows how a Cortex XSOAR automated playbook could automate responses to COVID-19 phishing emails. The flow includes the ingestion of active threat intel feeds and the triggering of the playbook, which then extracts additional context to enrich the indicator information, compares with internal lists to check for matches with either trusted or suspicious domains, and blocks the phishing email if it's determined to be malicious. \" width=\"900\" height=\"474\" \/><\/span><\/div><figcaption id=\"caption-attachment-116318\" class=\"wp-caption-text\">Figure 2: Cortex XSOAR COVID-19 suggested playbook flow<\/figcaption><\/figure>\n<p><span style=\"font-weight: 400;\">The attackers create their own assembly line by leveraging machine learning and AI. They repurpose old proven phishing tactics and techniques at machine speed. This makes it harder for enterprises to catch up unless they counter them with the same force, combating a machine with a machine.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Watch this video <\/span><span style=\"font-weight: 400;\">to learn how Cortex XSOAR playbooks can protect your enterprise and automate responses to COVID-related phishing attacks.<\/span><\/p>\n<p><div class=\"styleIt\" style=\"width:560px;height:315px;\"><lite-youtube videoid=\"Xe5A-SE6zIw\" ><\/lite-youtube><\/div><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn how Cortex XSOAR automated playbooks can help your organization protect against the deluge of COVID-19 phishing emails. <\/p>\n","protected":false},"author":627,"featured_media":111705,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6770],"tags":[1166,7025,7050,208,7223,635],"coauthors":[6718],"class_list":["post-116304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-secure-the-future","tag-cloud-security","tag-cortex-xsoar","tag-covid-19","tag-phishing","tag-playbooks","tag-soc","sec_ops_category-use-cases"],"jetpack_featured_media_url":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/05\/Hunter.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/627"}],"replies":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=116304"}],"version-history":[{"count":1,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116304\/revisions"}],"predecessor-version":[{"id":116331,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/116304\/revisions\/116331"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/111705"}],"wp:attachment":[{"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=116304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=116304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=116304"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www2.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=116304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}