Course: IH&R Process • Week 4

Email Security Incidents

Phishing & Spam analysis, categorisation, and rapid response playbooks. From the Industry to the Classroom.

Module Orientation

This interactive module translates the Day 07/08 lecture material into an explorable dashboard. Almost every major cyber incident begins with a compromised email. Understanding the nuance between attack types, the technical layers of email protocols, and the crucial 30-minute response window is essential for any incident handler. Explore the sections below to build your analytical muscle memory.

📈

High Stakes

Business Email Compromise (BEC) is the highest single category of cybercrime financial loss.

🔍

Technical Depth

Learn to deconstruct Lure, Hook, and Payload, bypassing simple "phishing" labels.

⏱️

Rapid Response

Master the 30-minute cheat-sheet to contain blast radius and prevent full breaches.

1. Threat Taxonomy

Naming is the first analyst skill. Mislabelling a targeted Business Email Compromise (BEC) as generic "phishing" leads to the wrong incident response playbook, leaving the attacker inside the network. Use the interactive matrix below to understand the four primary categories of email threats.

📩

Phishing

Mass volume, untargeted emails, typically caught by email gateways 95%+ of the time. Lures are generic.

Targeting
Mass
Volume
Millions
Malware?
Often
Financial Impact
Low / Aggregate

The "MarĂ­a" Example (Mon-Fri)

Monday: Receives a generic "Dear Customer" Santander banking alert. It is ignored and deleted easily.

2. Attack Anatomy & Social Engineering

Every attack decomposes into three distinct stages, mapping closely to the early phases of the Cyber Kill Chain. Understanding these stages allows defenders to implement specific controls at each point. Click the stages below to reveal the social engineering levers and payload types.

Kill Chain: Reconnaissance

Lure Construction

The content the victim sees. It relies on psychological manipulation. Stacking three or more of these levers in a single email is a strong red flag of malicious intent.

Urgency ("24h left")
👔Authority ("CEO")
🎯Scarcity ("3 slots left")
👋Familiarity (Tone)
👥Social Proof
🔁Reciprocity

3. Authentication Protocols

SMTP was designed in the 1970s with no sender verification. SPF, DKIM, and DMARC are retroactive bolt-on authentication mechanisms. Implementing all three correctly makes a domain structurally hard to spoof.

Sender Policy Framework (SPF)

RFC 7208

Core Question: Is this connecting IP allowed to send mail for this domain?

  • Domain owner publishes a DNS TXT record listing authorised IPs.
  • Receiver looks up the record and compares it to the incoming connection.
  • Mechanisms: -all (hard fail), ~all (soft fail), +all (catastrophic).
⚠️ Vulnerability: SPF breaks on email forwarding.

Combined Protection Matrix

Capability SPF DKIM DMARC
Checks IP origin
Checks tampering
Survives forwarding If 1 passes
Reporting functionality

4. The Human Defence Layer

Technology cannot catch what it has never seen. 91,000 phishing emails reach inboxes annually despite 99.9% gateway blocks. A modern awareness program focuses on role-tailored simulations and tracking the Report Rate over the Click Rate.

90-Day Training Pilot Metrics

Tracking behavioral shifts during phased simulation rollouts.

What Good Looks Like

  • Continuous: Drip-feed micro-lessons.
  • Role-tailored: Finance lures ≠ Engineering lures.
  • Blameless: Heroes report, we do not punish clickers.

Bad Signs

  • 25-minute annual videos + generic quiz.
  • Public shaming or HR action against clickers.
  • Treated as a substitute for technical controls.

Golden Rule

PAUSE • VERIFY • REPORT

5. Incident Response Playbook

Email IR is unique: the blast radius is everyone, and MFA bypass via session-cookie theft is common. Speed in the first 30 minutes determines whether an event remains an "incident" or escalates to a "breach".

The "Sandra" Case Study: First 30 Minutes SLA

Minute 00: The Incident Begins

09:42 AM

Sandra clicks fake GitHub login → submits credentials → immediately reports it via Phish Button.

Minute 08: Detection & Scope

09:50 AM

Analyst performs message trace. Confirms Bulgarian IP signed in 4 minutes after Sandra submitted credentials.

Minute 23: Containment (CRITICAL)

10:05 AM

Account disabled → Sessions revoked → Password reset. Three other recipients' copies purged from mailboxes.

Eradication & Recovery

11:30 - 13:00

Verified no OAuth grants or rogue commits. New FIDO2 hardware key issued to Sandra. Resume normal work.

Outcome: 4 hours, minor incident. Without rapid response and MFA: Weeks of work, major breach.