Use the Spoofed Emails (using the same Display name) playbook

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 4분

    • Use this playbook to investigate Spoofed Emails, which get triggered when spoofed names for emails are sent to the organization's employees. The following steps give you a walkthrough of the actions, tasks, and subflows that are available in the Spoofed Emails (using the same Display name) playbook.

    시작하기 전에

    Role required:
    • sn_si.admin
    • flow_designer

    프로시저

    1. When the playbook is triggered and starts executing, in Action 1, you need to check if there are any continuous spoofed emails in Proofpoint.
    2. In Action 2, if there are continuous emails in Proofpoint, then check whether this an internal spoofed email or not.
    3. In Action 3, if this is an internal spoofed email, perform the following actions:
      1. In Action 5, you need to perform URL analysis using any sources like Virus Total, Anomali Threat stream Sandbox, urlquery.net, PhishTank (For example, check PhiskTank and Anomali).
      2. In Action 6, you need to investigate the URL on a Linux VM (For example, Ubuntu).
        그림 1. Spoofed Emails (using the same Display name) playbook
        Response task to investigate the URL on a Linux VM.
      3. In Action 7, you need to look up when the domain was created on WHOIS.
        Look for recently registered domains (within the last week) that are suspicious and have a high probability of phishing attacks.
      4. In Action 8, based on the investigation done so far, you need to check whether this email contains a malicious attachment or link.
        If this email doesn't contain a malicious attachment or link, then the flow ends.
        그림 2. Spoofed email contains malicious attachments or links
        Response tasks to check if the spoofed email contains malicious attachments or links.
      5. In Action 9, if the email contains malicious attachments or links, perform the following actions.
        1. In Action 10, you need to reach out to the affected user to check if the credentials are compromised. You can use the provided email template to contact the affected user.
        2. In Action 11, you need to check whether the credentials are compromised based on the email response. If the credentials weren’t compromised, then the flow ends.
          1. In Action 12, if the credentials are compromised, then in Action 13, you need to check if additional users are impacted. If no additional users are impacted, then the flow ends.
          2. In Action 14, if additional users are impacted, then perform the following actions:
            1. In Action 15, you need to search and delete emails using Microsoft Exchange Online.
            2. In Action 16, you need to block the sender and the malicious files or attachments on Office 365 and Proofpoint.
    4. In Action 17, if this isn’t an internal spoofed email, then you need to check if the affected user's system is impacted.
    5. In Action 18, if the user's system is impacted, then in Action 19, raise an IT ticket to reimage the impacted system.
      그림 3. Check if the affected user's system is impacted
      Response task to check if the affected user's system is impacted.
    6. In Action 20, a response task is created for you to complete the post-incident review before closing the task.