Spike in Password Reset Emails

Description

Sending password reset emails is a common phishing technique. Protect your users by identifying spikes in the number of suspicious emails entering your environment.


Use Case

Security Monitoring

Category

Account Compromise, SaaS

Alert Volume

Very Low (?)

SPL Difficulty

Hard

Journey

Stage 3

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Spearphishing Link

MITRE Threat Groups

APT28
APT29
APT32
APT33
APT39
Cobalt Group
Dragonfly 2.0
Elderwood
FIN4
FIN8
Kimsuky
Leviathan
Machete
Magic Hound
Night Dragon
OilRig
Patchwork
Stolen Pencil
TA505
Turla

Kill Chain Phases

Delivery

Data Sources

Email

   How to Implement

Implementation of this example (or any of the Time Series Spike / Standard Deviation examples) is generally pretty simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted. If the base search you see in the box below returns results.
  • Save the search to run over a long period of time (recommended: at least 30 days).

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend using a summary index that first aggregates the data. We will have documentation for this process shortly, but for now you can look at Summary Indexing descriptions such as here and here.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately a spike in the number we're monitoring... it's nearly impossible for the math to lie. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

How you handle these alerts depends on where you set the standard deviation. If you set a low standard deviation (2 or 3), you are likely to get a lot of events that are useful only for contextual information. If you set a high standard deviation (6 or 10), the amount of noise can be reduced enough to send an alert directly to analysts.

   How To Respond

When this search returns values, initiate your incident response process and capture the time of the event, the sender, recipient, subject or the mail and attachments, if any. Contact the sender. If it is authorized behavior, make a document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted.

   Help

Spike in Password Reset Emails Help

This example leverages the Detect Spikes (standard deviation) search assistant. Our dataset is an anonymized collection of email logs centered around a particular user for a month.

SPL for Spike in Password Reset Emails

Demo Data

First we pull in our demo dataset.
Based on the message subject, tag it with a value for Detect_Type
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.
Finally, we can count and aggregate per detection type tag, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation

Live Data

First we pull in our email dataset, with filters for Password Reset somewhere in the message.
Based on the message subject, tag it with a value for Detect_Type
Bucket (aliased to bin) allows us to group events based on _time, effectively flattening the actual _time value to the same day.
Finally, we can count and aggregate per detection type tag, per day.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation

Accelerated Data

Here, tstats is pulling in one command a super-fast count of emails where the subject contains "Password Reset" per src_ip, per day.
We're adding a Password Reset tag to this. You could also expand this out for multiple items, including new phishing campaigns.
calculate the mean, standard deviation and most recent value
calculate the bounds as a multiple of the standard deviation