Using spamassassin to thwart sharepoint phishing attacks

Sun, 11 Apr 2021 13:09:49 -0700

I've received about a dozen phishing attack emails from Microsoft's sharepoint service within the last couple of weeks. Only one of them was identified by SA as spam. After running the emails through sa-learn, they still only score a 4 to 4.5. But I could see that it would be easy for these emails to get classified as false positives and/or false negatives.
Has anyone developed a good way to identify these sharepoint phishing attacks without any false positives? 


I'm leaning towards figuring out how I might inject some kind of 
prominent warning into the message to remind people not to click links 
they don't trust. That's not an ideal solution, but perhaps it is the 
best way to help protect users. I'm interested to hear what other 
options might be available.


Here is how SA scored one of the emails:

4.4/5.0
Spam detection software, running on the system "email.dondley.com",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
the administrator of that system for details.


Content preview:  Doris Feaster shared a file with you STRIP BANG THE 
ONLINE
   REAL & MOST POPULAR 100% TRUSTED NETWORK STRIPBANG GIVING FREE ELITE 
MEMBERSHIP

   AND 5000CR=$750 WINNER 2021 YOUR WINNING CODE - ( STBNG5000CR )

Content analysis details:   (4.4 points, 5.0 required)

 pts rule name              description

---- ---------------------- 
--------------------------------------------------

 3.5 BAYES_99               BODY: Bayes spam probability is 99 to 100%
                            [score: 1.0000]
 0.5 BAYES_999              BODY: Bayes spam probability is 99.9 to 100%
                            [score: 1.0000]
-0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
                            [52.100.189.222 listed in wl.mailspike.net]

-0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at 
https://www.dnswl.org/,

                             no trust
                            [52.100.189.222 listed in list.dnswl.org]
-0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
-0.0 SPF_PASS               SPF: sender matches SPF record
 0.5 SUBJ_ALL_CAPS          Subject is all capitals
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 MIME_HTML_ONLY         BODY: Message only has text/html MIME parts

-0.1 DKIM_VALID             Message has at least one valid DKIM or DK 
signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature, not 
necessarily

                            valid

-0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature 
from

                            author's domain

-0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature 
from

                            envelope-from domain
 0.0 UPPERCASE_50_75        message body is 50-75% uppercase






















					Reply via email to