Central Phish Threat

Posted By admin  On 01.05.21



Here you can see the domains and IP addresses that Phish Threat uses to send campaign emails.

  1. Sophos Central Phish Threat Trial
  2. Central Phish Threatening
  3. Central Phish Threatened

Go to Phish Threat > Settings > Sending domains and IPs to review your domains and IP addresses.

Sophos Phish Threat educates and tests your end users through automated attack simulations, quality security awareness training, and actionable reporting metrics. Phish Threat provides you with the flexibility and customization that your organization needs to facilitate a positive security awareness culture. Sophos Phish Threat educates and tests your end users through automated attack simulations, quality security awareness training, and actionable reporting metrics. Phish Threat provides you with the flexibility and customization that your organization needs to facilitate a positive security awareness. Phish Threat is a form of attack to obtain sensitive user name, password, credit card, etc. Information or to spread ransomeware by sending emails to users containing links, files containing viruses or a fake message from famous website like Facebook, Amazon, Google when users click on the message, there will appear a website that is almost 100% made for subjectively user and easily enter your information into the fake website.

You must allow email and web traffic to and from these IPs and domains on your email gateway, web proxy, firewall appliance, or anywhere else in your environment where email and web filtering is done.

You can also find out more about how Office 365 ATP Safe Link and Safe Attachments interact with Phish Threat V2.

This list updates when we add new IPs and domains.

IP addresses

To ensure successful delivery of Phish Threat emails, you must add the following IP addresses to your allow list:

  • 54.240.51.52
  • 54.240.51.53

Domain names

You must also add the domains listed below to your allow lists.

If you're using an external email proxy (including Central Email), you may also need to amend your SPF records.

Links contained within campaign emails are configured to redirect users to an awstrack.me URL. This is expected behavior, as Phish Threat uses AWS tracking to determine which users have clicked on the malicious links.

  • amaz0nprime.store
  • auditmessages.com
  • awstrack.me
  • bankfraudalerts.com
  • buildingmgmt.info
  • corporate-realty.co
  • court-notices.com
  • e-billinvoices.com
  • e-documentsign.com
  • e-faxsent.com
  • e-receipts.co
  • epromodeals.com
  • fakebookalerts.live
  • global-hr-staff.com
  • gmailmsg.com
  • goog1e-mail.com
  • helpdesk-tech.com
  • hr-benefits.site
  • it-supportdesk.com
  • linkedn.co
  • mail-sender.online
  • memberaccounts.co
  • micros0ft.tech
  • myhr-portal.site
  • online-statements.site
  • outlook-mailer.com
  • secure-alerts.co
  • secure-bank-alerts.com
  • shipping-updates.com
  • tax-official.com
  • toll-citations.com
  • trackshipping.online
  • voicemailbox.online
  • itunes.e-reciepts.co
  • sophos-phish-threat.go-vip.co
  • go-vip.co

Office 365 ATP Safe Links and Safe Attachments

Datasheet

Office 365 Advanced Threat Protection (ATP) offers security features such as Safe Links and Safe Attachments.

ATP Safe Links can help protect the organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. The ATP Safe Attachments feature checks to see if email attachments are malicious, and then takes action to protect the organization.

If Phish Threat V2 IP address and domain names are not included in the allow list, Office 365 executes the links. This makes it seem like an end user has clicked on the links. To ensure the proper execution of Phish Threat V2 with Office 365, set up an exception for the phish threat for both Safe Links and Safe Attachments in Office 365. For instructions on how to set up these exceptions, see IP addresses and domains.

Other 3rd party email scanning products and Phish Threat V2

Other 3rd party email security products may apply their own scanning techniques that open links and attachments in emails as they are processed. If this is the case you may receive reports indicating that your users have clicked links.

Please make sure the above IPs and domains are added to allow lists within the 3rd party product.

We are aware that some 3rd party solutions do not allow their security features to be bypassed in this way. We are actively investigating ways to prevent false positive campaign results caused by 3rd party security products. We hope to include these in Phish Threat in the near future.

The goal of the article

  • Following the article in Part 2, Part 3 will proceed with Phish Threat configuration with the third Campaings type Attachment on Sophos Central.
  • Also, you can review part 2 of the article here.

Instructions for configuring Phish Threat features on Sophos Central.

Central
  • To use Phish Threat feature on Sophos Central, we first need to create a Sophos Central account.
  • To create Sophos Central account, you can see the instructions here.
  • After acquiring Sophos Central account, log into Sophos Central with the account you just created at https://central.sophos.com.
  • Next select People to add users for Phish Threat configuration.
  • Click Add> Add User.
  • The Add User table appears, fill in the name FIRST & LAST NAME and enter the email address in the EMAIL ADDRESS box.
  • Note: Email address must be a domain email address, do not use public email addresses like Gmail, Yahoo …
  • Next, let email training send to users who are not added to the Spam folder. We need to add IP addresses and domains for training to the trusted item (whilelist) on Mail Server or mail services like G- Suite, Office 365 ….
  • To obtain the IP address, log in to Sophos Central account and click Phish Threat> Setting> Sending domains and IPs.
  • Now we will see two IP addresses and a series of domains that Sophos provides for the training.
  • Next we press MY PRODUCTs> Phish Threat> Campaigns to enter the Phish Threat feature.
  • Here to do training for users we need to create Campaigns, to create Campaigns click New Campaigns.
  • We will set name for Campaigns and choose the type for Campaigns.
  • Campaigns has 4 types:
  • Phishing: Attracting targeted users to click on a link in an email.
  • Credential Harvesting: Attracting targeted users to enter login information into a fake website.
  • Attachment: Attracting targeted users to open an attachment in an email.
  • Training: Enroll the target user for mandatory training based on the selected training modules.
  • We will do the simulation of Campaigns to see how it works.
  • In this article, we will simulation Attachment Campaings type.
  • After clicking New Campaigns, we will enter the name for Campaigns as Attachment and select Attachment and then click Next.
  • Next we will select the attack pattern, in this case Sophos has provided us with a lot of attack patterns coming from famous websites like Amazon, Adobe, Apple … we just choose one of the The type of attack we want.
  • Here We will choose the type of Car Lights On and then click Next.
  • Next, we will choose the type of training for users, where Sophos also provides training types on internet threats such as Ransomeware, Keyloggers, Macro Malware …, these training types will include 1 video clip with subtitles English and record video time.
  • We can choose up to 5 training types for 1 Campaigns and those training types will be random when sent to users.
  • Here We will choose the type of Training Ransomeware and then click Next.
  • Next is the Customize section, which allows you to edit the contents of Attack Email, Reminders Email, Caught Landing, Training Landing.
  • This section contains 4 parts: Attack Email, Reminder Email, Caught Landing, Training Landing.

Attack Email.

  • In this Attack Email section, when we click, we will see the information available such as Name, Email, Email Subject. We can change it if you want.
  • Here we will simulate an email sender to come with a CV file. o In the From Name section, it will be Nguyen Van Phu.
  • In the From Email section will be phu.nv123@outlook-mailer.com.
  • Here we will use additional sub-domains by checking the Use a sub-domain box on phishing ULR replacements and filling in the blank box Sophos.
  • So our email will be phu.nv123@sophos.outlook-mailer.com. Attachment Filename we will fill it in as CV Phu.
  • The Email Subject section we will fill in is “Nguyen Van Phu application for IT Helpdesk position application”.
  • Next we drag the mouse down to see the contents of the email we will send, we can click Edit to edit the content sent.
Central Phish Threat
  • Here we will Edit the job content as follows.

Caught Email.

  • Caught This email will contain an email with the content “This is not a real attack but it may have happened”.
  • This page will appear when users download the attachment and turn it on, the page shows the wrong purpose for users to know that this is a training and users have not passed.
  • You can edit the content of the page by clicking Edit.

Reminder Email.

  • This email is used to remind people when they have not completed the training.

Training Landing.

  • This page will display after the user clicks Go to training at Caught Email earlier.
  • This page is to inform users that they have been added to a training.
  • After modifying the Customize section click Next to go to the Enroll Users section.
  • In this section we can assign 1 or more Users or Group for training.
  • Click Next to go to Review & Schedule, in this section you can set the time for training to take place.
  • You can choose Launch at schedule time to set the timetable or select Launch immediately for the training to take place immediately after clicking Done.
  • In the Sending Increment section, help us set up this training for many people in a certain period of time.
  • For example: if you choose Send to all enroll users and at the same time, this training will be sent to all users at the same time. If you select Send 5% and select Every hour, every 1 hour the training will be sent to 5% of the total number of people selected in the Enroll User section above.
  • Pull down the Email, Training and Recipients sections to help the user check the content of the email to be sent and the selected training section along with the user name and email of the designated user.
  • Click Done to finish.
  • At this time, on Sophos Central will display the parameters of the training.
  • As we can see in Active Campaigns is the name of the Attachment training, next to 1 Emails sent, 1 email was sent.
  • Next is 0 Emails opened, this part will increase when a user opens the email.
  • At 0 users are caught, this part will increase when the user clicks on the link.
  • At 0 Finished training, this part will increase when the user completes the training.

Sophos Central Phish Threat Trial

  • Next we will go to the email account to see the email just sent.

Central Phish Threatening

Central
  • Click to open the email and we will see information such as sender, email address, email subject, the same email content as we set up on Sophos Central.
  • After opening the email, we return to Sophos Central page and reload the page we will see in the Email opened section will increase by 1 because we opened the email sent.
  • Return to the email page, we will click on the attachment below to download the file to the computer and open it.
  • At this time we receive an email notification from Sophos that we have been invited to the training by downloading and opening the attachment.

Central Phish Threatened

  • Content is the content of Caught Email page that we have set up in Customize section.
  • The announcement page tells us “This is not a real attack but it may have happened” and we have to watch the video training and do the test by clicking Go to training.
  • Go back to Sophos Central page and reload the page, we will see the Users caught section increased by 1 by the user who clicked on the link.
  • Return to the notification page, after clicking Go to training, the website will navigate to the content page as the Training Landing page that we have set up in Customize section.
  • Click Go to training.
  • The website will navigate to a course called Ransomeware which we have set up on Sophos Central.
  • This page displays the course name is Ransomeware, course content and time.
  • To join Start Course, a video with 4 minutes time will be displayed with English subtitles and we have to watch the video to guide to the Test.
  • After watching all the videos, we will press Take Quiz to do the test.
  • Select the correct answer and click Complete Quiz to complete the training.
  • If you do not reach the required score to pass the test, you can click Reset Quiz to redo or click Back to Lesson to review the video and find the answer.
  • Note: If the user clicks Complete but not enough points to pass training, on Sophos Central finished Training is still 0, it only increases when the user has enough points to pass the test.
  • After the user fails to pass the test, we will return to the Sophos Central page, reload the page and see that the Finished training section is still 0.
  • Next we will do the test enough points to pass it.
  • Then go back to Sophos Central page, reload and we will see the number of Finished training increased 1 time, 1 person completed the training.
  • Because in this traning section only applies to 1 user, the parameters are 100% and after completing the training click on the name of the training as Phishing to see the statistics on the training and its results.
  • Finally to finish training click on End Campaign.