Phishing Message Rules

Overview

The goal of this document is to provide a list of the most common phishing attempts that Mailprotector sees and how to resolve them with Message Rules. Each of these can be used for specific situations, and all of these rules may not apply to everyone's situation. Please reach out to Mailprotector's Partner Success team for assistance if you have any questions.

Invoice Phishing

Invoice phishing is where a malicious email comes through which contains suggestions that someone should open an invoice to pay it immediately. There are two goals typically with these. The first is to have the end-user click the link to access an "invoice," and the second is to have the end-user send money directly to a bank account.

To prevent these situations, we recommend creating message rules that either only allow certain senders to get invoices through the relay or prevent odd attachment types related to invoices from getting through the filter.

 

First Rule - Block Non PDF Invoices: 

  1. Navigate to emailservice.io (Mailprotector console)
  2. Go to the "Filtering" tab at your preferred service level (Reseller, Customer, Domain, Group, User)
  3. Type in the name of your Message Rule and select "Create"
    mceclip0.png
  4. Under Criteria, input common phrases found in invoices into the "Matches any of" under the "Message Body" section. The examples here are invoice, Invoice, statement, and Statement. The "Message Body" section is Capital Sensitive.
    mceclip1.png
  5. Under the "Attachment Filename Extention" section, put the attachment types that your customer sees typically for invoices. This example only uses .pdf, but you can add others here as separate values as well.
    mceclip2.png
  6. Scroll to the top of the page and select the "Actions" tab
    mceclip3.png
  7. Under the Actions tab, select "Hold For Review". This will quarantine the messages that match this rule.
    mceclip4.png
  8. Under the "Options" tab, ensure that the user is an Incoming rule
  9. Once the rule is finished, select the blue back arrow next to "Edit Message Rule"
    mceclip5.png
  10. Toggle the rule on for it to begin taking action on incoming emails.
    mceclip6.png

Second Rule - Trusted Invoice Senders

  1. Navigate to emailservice.io (Mailprotector console)
  2. Go to the "Filtering" tab at your preferred service level (Reseller, Customer, Domain, Group, User)
  3. Type in the name of your Message Rule and select "Create"
    mceclip0.png
  4. Under Criteria, input the domains that you trust to send invoices to your end-users. 
    mceclip7.png
  5. Additionally, under Criteria, input common phrases found in invoices into the "Matches any of" under the "Message Body" section. The examples here are invoice, Invoice, statement, and Statement. The "Message Body" section is Capital Sensitive.
    mceclip1.png
  6. Scroll to the top of the page and select the "Actions" tab
    mceclip3.png
  7. Under the Actions tab, select "Hold For Review". This will quarantine the messages that match this rule.
    mceclip4.png
  8. Under the "Options" tab, ensure that the user is an Incoming rule
  9. Once the rule is finished, select the blue back arrow next to "Edit Message Rule"
    mceclip5.png
  10. Toggle the rule on for it to begin taking action on incoming emails.
    mceclip6.png

One Drive Link Phishing

One Drive links as well as other file-sharing programs are commonly spoofed. The goal is to have the end-user select the link to download malicious software onto the computer. This rule is specific to One Drive, but it can be used with other services as well. 

 

One Drive Link Phishing Rule -

  1. Navigate to emailservice.io (Mailprotector console)
  2. Go to the "Filtering" tab at your preferred service level (Reseller, Customer, Domain, Group, User)
  3. Type in the name of your Message Rule and select "Create"
    mceclip0.png
  4. Under Criteria, go to the "Message Body" section and input One Drive, OneDrive, one drive, and One Drive into the "Matches any of" section.
    mceclip8.png
  5. Under the "Message Body" section under "Does not matches any of" input my.sharepoint.com and https://northcentralusr-notifyp.svc.ms/api/V2/tracking/method/Click?
    mceclip9.png
  6. Scroll to the top of the page and select the "Actions" tab
    mceclip3.png
  7. Under the Actions tab, select "Hold For Review". This will quarantine the messages that match this rule.
    mceclip4.png
  8. Under the "Options" tab, ensure that the user is an Incoming rule
  9. Once the rule is finished, select the blue back arrow next to "Edit Message Rule"
    mceclip5.png
  10. Toggle the rule on for it to begin taking action on incoming emails.
    mceclip6.png

CEO/User Spoofing

This is one of the most common rules we recommend at Mailprotector. It is a great catch for anyone trying to pretend to be a CEO or higher up at a business. You can input as many names in this section as you'd like, but common names can cause false positives.

 

CEO/User Spoofing Rule - 

  1. Navigate to emailservice.io (Mailprotector console)
  2. Go to the "Filtering" tab at your preferred service level (Reseller, Customer, Domain, Group, User)
  3. Type in the name of your Message Rule and select "Create"
    mceclip0.png
  4. Under the "Sender" field in the "Does not match any of" section, input the exact server address of the user OR input the domain/domain aliases of the customer.
    mceclip10.png
  5. Input the Display name of the user who you don't want spoofed into the "From" section under "Matches any of"
    mceclip11.png
  6. Scroll to the top of the page and select the "Actions" tab
    mceclip3.png
  7. Under the Actions tab, select "Hold For Review". This will quarantine the messages that match this rule.
    mceclip4.png
  8. Under the "Options" tab, ensure that the user is an Incoming rule
  9. Once the rule is finished, select the blue back arrow next to "Edit Message Rule"
    mceclip5.png
  10. Toggle the rule on for it to begin taking action on incoming emails.
    mceclip6.png

Voicemail Link Phishing

Voicemails to email is an extremely common system that is used today, and attackers are always trying to get end-users to select links in emails. This rule will prevent any hyperlinked word that is input. In this example we are using the words "voicemail," "voice mail," and "listen". 

 

Voicemail Phishing Rule -

  1. Navigate to emailservice.io (Mailprotector console)
  2. Go to the "Filtering" tab at your preferred service level (Reseller, Customer, Domain, Group, User)
  3. From the templates section select "Voicemail Hyperlinks"
    mceclip12.png
  4. Input the name of the rule and select "Create"
  5. Under the "Options" tab, ensure that the user is an Incomming rule
  6. Now that the rule is Created, select the blue back arrow next to "Edit Message Rule"
    mceclip5.png
  7. Toggle the rule on for it to begin taking action on incoming emails.
    mceclip6.png
Have more questions? Submit a request

Comments