Stage 2: EMail

If you want to check user mailbox locating the threat, you can access thru FortiMail -> Access -> WEBMAILS.

Remark : don’t change any DNS setting

Email 02-01 : Stop the mail service spam

Hints:

·      Please check the email from no-reply-1@sysd-hard.com subject “Please visit 40HK”.

·      [mailbox : user01@sysd-corp.com /pw: fortinet]​

·      AntiSpam profile please ensure you make the change in inbound profile.

·      Related to SPF. Be careful only block the needed level. Block all will get score detected.

Email 02-02 : It seems email content has lots of suspicious and QR phishing attachments

Hints:

·      Please check the email from promotion@sysd-pass2.com subject “Unlock your 60% discount code!” and check the attachment of the mail.

·      [mailbox : user01@sysd-corp.com / pw: fortinet]

·      Please ensure the recipient policy is Enabled.

·      Search Google FortiMail phishing​. Some CLI needed.

Email 02-03 : We found someone impersonated our management in email…

Hints:

·      Please check the email from "Boss Chan" with subject [Important] Please transfer money asap! " .

·      [mailbox : user01@sysd-corp.com / pw: fortinet]​

·      You can try to consider Business email compromise

Email 02-04 : We found some personal information has been leaked on outbound email. Pls stop.

Hints:

·      You can check the mailbox of user02@sysd-corp.com which is the outbound mail send from user01@sysd-corp.com / with subject "Customer Information". And let ‘s a look on the mail body of the content.

·      [mailbox : user02@sysd-corp.com / pw: fortinet]​