INFORMATION SECURITY OFFICE

Phishing / SPAM Incidents

Process: / Phishing / SPAM Incidents
Author: / Enterprise Technology Solutions / Information Security Office
User: / 1.  User receives suspicious email.
2.  User reports email to the DGS Help Desk.
DGS Help Desk: / 1.  Receives alert from DGS user reporting suspicious email.
2.  Analyze the suspicious email and determine if it is SPAM or Phishing attempt.
3.  Verify that user did not click on any links or attachments.
a.  If they did, notify ISO and SecOps immediately.
b.  If not, instruct user to permanently delete email from inbox and forward that correspondence to to archive.
4.  If DGS Help Desk receives 3 or more alerts from different users that originated from the same source, notify ISO via the email address above and create Remedy ticket.
ISO: / 1.  Receives alert or Remedy ticket from DGS Help Desk.
2.  Determine if user clicked on the links or attachments included in suspicious email.
a.  If so, notify SecOps immediately and report incident in Cal-CSIRS. Continue to step 3.
b.  If not, continue to step 3.
3.  Forward request to AD team to purge suspicious emails from system. If AD team is not available, forward to SecOps.
AD Team: / 1.  Receives information about suspicious email(s) from ISO.
2.  Create a rule in Exchange Online Protection to block inbound email based on the subject and/or sender of the suspicious email.
3.  Create an Exchange task to report and purge the suspicious email from all mailboxes.
SecOps: / 1.  Receives information about suspicious email(s) from ISO.
2.  Identify the IP address associated with the link, and add it to the rule “Block-Dynamic-Block-List” to prevent traffic from reaching the spear phishing site.
3.  If user(s) clicked or opened suspicious links or attachments, run scan of workstation to detect potential malicious content.
ISO: / 1.  Contact user, or notify Help Desk to contact user, to inform them that the suspicious email has been blocked and the issue is resolved.
2.  Close ticket if currently assigned to ISO.
DGS Help Desk: / 1.  Notify user that the suspicious email has been blocked and the issue is resolved.
2.  Closed ticket if assigned to Help Desk.