The document describes the Phishing Intelligence Engine (PIE), an active defense PowerShell framework for Office 365. PIE aims to automate responses to phishing attacks by integrating with Office 365, threat intelligence feeds, and other tools. It allows automated actions like email response, case generation, evidence collection, and quarantining mail. PIE also analyzes click data and sender patterns to track attackers. The presentation demonstrates how PIE streamlines incident response and provides metrics for analyzing phishing attack trends. Future plans include expanding support and integrating with additional security tools.
17. Office 365’s detection is good – but nothing is perfect
“Microsoft Office 365 missed 9.3% emails containing spam, phishing, and malware
from the beginning of September through early October, report Cyren researchers,
who analyzed 10.7 million messages.”
https://www.darkreading.com/cloud/office-365-missed-34000-phishing-emails-last-month/d/d-id/1330282
REPORT: https://pages.cyren.com/201710_O365_GapAnalysis_Report_LP.html
18. It’s not Just Emails from Phishers to Worry About
• Exchange OWA / O365 password spraying
• Targeted mail scraping and extraction
• Malicious rule creation
• Passive account monitoring
• Auto Forwarding
• Email Spoofing
• VoIP and SMS Spoofing
• Data leakage
• Ransomware
• …
20. Inspiration - MailSniper!
• https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-
searching-eery-users-email-for-sensitive-data/
• Offensive Exchange and Office 365 PowerShell
• Password spraying to gain access from the internet
• Searches for sensitive data within all inboxes
• Beau Bullock
• https://www.blackhillsinfosec.com/team/beau-bullock/
26. • Office 365 Provides great PowerShell Integration Options!
• You can scrape message trace logs, extract / quarantine mail, block senders,
and more.
• One problem – the default use cases are Slow and Cumbersome!
Traditional PowerShell Email Quarantine Process
27. • Instead of opening each mailbox and looking for the message…
• Use a pre-defined ‘Phishing Inbox’ to gather quarantined / extracted mail
• Scrape the message trace logs to find valid recipients
• Perform targeted actions on each inbox
• Gather and report on Metrics for all attacks and recipients
• Track attackers and block them in the future
• Reduce your organization’s Mean Time To Detect and Respond!
Optimize PowerShell Integration and Streamline Process
28. • Extract email from specific users
• Extract email from all affected users
• Block senders
• Unblock senders
• Reset Office 365 credentials
• Evaluate Message Forwarding rules
• Create and update LogRhythm Cases
• And more…
44. Future Plans and Ongoing Support
• Improve the codebase ☺
• Support for On-Premise Exchange
• IDS, Firewall, and Endpoint integration
• Web Leaderboard and Open Metrics
• Implement Active Defense Scripts
• Documentation and Installation Package
• Seamless SIEM integration
• Community Integrations!
- What tools are you using?
- What else do you want to see PIE do?