@Ken, sorry for the delay - hope you had a great weekend!
As far as enrichment, there is a few things I would do:
- Strip the
Sender
address and theFrom
address from email headers (if they are different, then that is not typically normal). Search mailboxes for additional emails sent from those email addresses. - Extract and hash any attachments and check against VirusTotal, Hybrid Analysis, sndbox.io, etc. etc.
- Send attachments to an internal sandbox is needed/wanted
- Grab any URLs from the body of the message and do a reverse DNS lookup and identify who the hosting provider is. Also get their WHOIS info and you can keep track of this information and use IPs/urls to block at a proxy or border firewall. You can also send automated “takedown” notifications to those hosting providers by pulling their
abuse
email addresses from WHOIS. - If you want to gather more information, then track and plot (google maps) the send from headers to track the typical path of each email sent - this could or could not show you if an attacker is using a specific open mail relay or other information.
I think you’re heading in the right direction. The biggest thing is writing out your “hypothesis” or “problem statement” – understanding what you are trying to prevent/protect against will help you put in the right automation. Also, a good practice is to say “I expect a X percent drop in {infections, compromised accounts, man hours, etc.} by doing {whatever automation you are wanting to do}”.
I hope this helps!