D3 XGEN SOAR for Phishing Attacks


Steps for Phishing Incident Response

Step 1:   A suspicious email is detected by an email protection tool or manually reported to D3 by a user.

Step 2:   D3 parses out the elements of the email and assesses risk. Attachments are sent to a sandbox, external IPs and URLs are checked against threat intelligence sources, and email authenticity is determined.

Step 3:   If the attachment is found to be malicious, D3 finds hosts that have been affected by the files and quarantines them. A ticket is also created to re-image the hosts.

Step 4:   If the external IP or URL is found to be high-risk, D3 blocks them on the network and firewall.

Step 5:   D3 then blocks the phishing email, removes it, and finds any users who received the same email. If there is a larger phishing campaign, D3 will send an email to notify users of the threat.



Benefits of Phishing Response Automation


✔  Investigate Every Attempt

By automating the majority of the process, D3 users have the time to properly investigate every suspected phishing incident.

✔  Block Malicious Files and URLs

If an attached file or linked URL is checked against a threat intelligence sources or sandbox and found to be malicious, you can use D3 to orchestrate blocking it on your network and firewall, saving time and preventing further damage.

✔  Find the Extent of the Damage

When one phishing email is detected, D3 can search across corporate inboxes, endpoints, and user accounts to find who else was targeted, what computers downloaded the attached files, and whose credentials may have been compromised.

✔  Group Incidents for Efficient Response

Phishing emails are often sent to hundreds of people at once, so it doesn’t make sense to respond to each email as a separate incident. With D3, all related phishing events are grouped together in a single incident to eliminate redundant work and give investigators all the information they need.


XGEN SOAR demo image

Deep-Dive SOAR Demo

Do you want to see D3 in action? Join us for a 25-minute deep-dive demo and see how our award-winning Security Orchestration, Automation, and Response (SOAR) platform helps security teams accelerate incident response, scale processes, and learn from every incident.