Defense / Forensics

Phishing Intelligence Engine – An Active Defense PowerShell Framework for Phishing Defense with Office 365

by do son · Published December 9, 2018 · Updated October 10, 2021

Phishing Intelligence Engine

The Phishing Intelligence Engine (PIE) is a framework that will assist with the detection and response to phishing attacks. An Active Defense framework built around Office 365, that continuously evaluates Message Trace logs for malicious contents, and dynamically responds as threats are identified or emails are reported.

Features:

Analyze subjects, senders, and recipients using RegEx and Threat Feed correlation, to determine email risk.
Automatically respond to attacks by quarantining mail, blocking senders, and checking for clicks.
Sandbox analytics on all flagged email attachments and links.
Dynamic Case Management integration and metrics tracking.
Prevent sensitive data loss and verify corporate email security.

Install & Usage

<span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span>

There are multiple aspects of this framework that all work together to detect and respond to Phishing attacks:

1) PIE Message Trace Logging

The core of the Phishing Intelligence Engine – provides ongoing logging via the API, third-party tool integrations, and automated email response.

2) Office 365 Ninja

The response arm of PIE. Quarantine mail, block senders, change credentials, check Office 365 configurations, and more.

3) SPAM Tracker

List updater for ongoing tracking of spammer email addresses.

4) LogRhythm SIEM Dashboards

Analyst and Investigation Dashboards, which allow for searching and aggregation of Office 365 Data within the LogRhythm SIEM.

5) Alarms and Threat Lists

LogRhythm AIE alarm configurations and Threat List integrations.

6) LogRhythm SmartResponse

Plugins that can be integrated with the LogRhythm SIEM, allowing for the automated response to alarms.

7) Report Phishing Message Button

Addon for Microsoft Outlook to allow for easy reporting of Phishing Attacks.

8) Architecture

The high-level overview of the PIE architecture and workflow:

[Additional Information]

Blog Post: https://logrhythm.com/blog/phishing-intelligence-engine-open-source-release/

BSides Vancouver 2018 Slides and Video: https://www.slideshare.net/heinzarelli/pie-bsides-vancouver-2018

BlueHat v17 Slides: https://www.slideshare.net/heinzarelli/phishing-intelligence-engine-bluehat-v17

Black Hat 2017 Slides: https://www.slideshare.net/heinzarelli/security-automation-and-orchestration

Security Weekly Webcast: https://www.youtube.com/watch?v=2oGMoGr4qBI

Copyright 2018 LogRhythm Inc

Source: https://github.com/LogRhythm-Labs

Share

Tags: Phishing Intelligence Engine