Automating phishing

I haven’t automated any of my work (yet)!

Thinking I’ll start with my phishing email investigations. Which are the safest tasks to automate first?

@mark.vankempen @mike.mitchell Can you help answer Java’s question^?

I think Phishing is a perfect task to automate. There’s so much automation & enrichment that you can do. Off the top of my head here’s just the tip of the iceberg of tools & tech you can automate with:

  • Pulling in records from an email inbox
  • Raw Python scripts (stripping out headers, domains, IPs, URLs, attachments, etc…)
  • MXToolbox (header analysis)
  • Domaintools
  • Other IOC enrichment
  • Sandbox tech
    • Cisco ThreatGrid
    • FireEye
    • Palo Alto Wildfire
    • VMRay
    • Cuckoo
    • Joe Sandbox
    • and more
  • EDR Tech (search for malicious Hashes, hosts users are logged into, etc…
    • Carbon Black
    • Tanium
    • CrowdStrike
    • FireEye
    • and more
  • Ticketing
    ** ServiceNow
    • Jira
    • others
  • Forensic software like EnCase
  • Integrating with SMTP Servers
  • Active Directory user/host enrichment
  • Perimeter tech: firewalls, routers, etc…

Appreciate your response, @mark.vankempen
Sorry, newby question here. Is your list in chronological order? Should I start with records from email?

@mark.vankempen did a great job of outlining the steps it takes in order to full automate the phishing email workflow. While not all the steps have to be done in that order, especially if it doesn’t fit your process, the first few steps are the most important in order to be able to automate the rest of the workflow.

Your process should start with records from an email. The first step should be to grab or collect the email in question. That then allow you to be able to strip out the headers, domains, ips and so on. Once you’ve gathered the indicators of compromise (IOC) from the email, you can send those IOCs off to be enriched using any number threat intel sources.

From there you can mix and match your next steps centered around the remediation of the incident.


So taking this into a slightly related direction, you could also automate your internal phishing campaigns. More and more open source tools are making sure they have a full REST API.

1 Like