Outlook Lifehack: Anticipating phishing test mails

Ever thought to outsmart phishing exercises and have Microsoft Outlook alerting you for phishing, upfront?

You can.

In short

Set a mail rule that

1. inspects the mail headers for X-PHISH and/or PHISHINGTEST tags…
2. Moves the incoming mail to a folder
3. Optionally flag the mail or set a category

Steps

Create a mail rule

Step 1: Select condition

Set : “specific words in the message header”

Set the tags

• X-PHISH
• PHISHTEST

There might be some variations on these tags.

Additionally, if you know phishing test mails are sent from specific domains… add the domain/mail server

Step 2: move it to specified folder in your mailbox

Other options

Some other ideas: set mail alerts or use Power Automate to alert you… (but that’s for another article)

Disclaimer

Obviously it only works for these specific mail header tags, if phishing tests use different headers or other approach, you’ll need to adapt. Don’t take this solution for granted.

And worse, the real stuff… is still out there attacking you.

Stay alert, don’t click on mails and links you don’t expect!

Advanced

While you never should click on any suspicious mail, suspicious links or links in these mails… it still might be a good exercise and learning item to inspect the mail header info.

Look for anomalies in

• mail sender name and published address mismatch with mailbox listed
• sender vs reply-to mismatch
• mail server mismatch with originating server
• mail domain mismatch with originating domain

Advisory – Best practice

If you suspect a mail to be the real thing, actual phishing, better report the mail as spam and forward it to your local CERT or local cybersecurity authority for analysis (and domain URL blocking)…

And message your security team they failed the phishing test 😉

See also

Some info for mail server administrators 😉

• https://learn.microsoft.com/en-us/answers/questions/238559/microsoft-outlook-search-including-message-headers
• https://support.phishingtackle.com/hc/en-gb/articles/360029672471-Allowlisting-by-Email-Headers-in-Exchange-2013-2016-or-Microsoft-365-formerly-Office-365-
• https://support.knowbe4.com/hc/en-us/articles/212723707-Whitelisting-by-Email-Header-in-Exchange-2013-2016-or-Microsoft-365

There is nothing new in the 2022 version of ISO27001 and ISO27002. [aka: How to match 2022 with 2013 version and easily fix your Statement of applicability (SoA).]

1. Introduction
2. The quick and dirty overview
3. A bit more details
4. Extra reading material
   1. So, what IS new then??
5. Background info
6. Conclusion
7. It’s not perfect, send your feedback.
8. Need more?

Introduction

Early last year ISO updated the ISO27002 to version 2022, putting the previous version to rest after almost 10 years.

The ISO27002:2022, “Information security, cybersecurity and privacy protection — Information security controls”; This document provides a set of guidelines for generic information security controls.
And in fact, it’s the foundation of the ISO27001 Annex (remember the annex is derived from the ISO27002).

The ISO27001:2022, published in october 2022, is a new land mark for information security and governance best practices and basics.

With the launch, there has been a lot of articles explaining what changed.

In numbers we went from 114 controls to 93, which looks like a compression but there are also 11 new controls added.

I explained this situation in an article I wrote early last year in #PECB Insights Magazine: here is the link

How Does the New Revision of ISO/IEC 27002 Affect ISO/IEC 27001 (PECB Insights Magazine, 25 mar 2022)

Most important : section “New controls in ISO/IEC 27002:2022”:

New as in, new named controls in ISO27002 version 2022… with explicit requirements.
But if you look into them, you’ll discover you can perfectly fit them in the existing ISO27001:2013 version to protect your environment.

And you should have them implemented already a long time ago.

They are not new to protect your current environment against the current cyber threats.

But how do you map these new ISO27002/ISO27001:2022 controls in the existing 2013 implementation?

The quick and dirty overview

A bit more details

A bit more explanation needed, check this XLS Spread Sheet.

personal-use-mapping-new-iso27001-2022-controls-to-iso27001-2013Download

Extra reading material

The various controls and clauses in the new ISO27002 provide some interesting references to other standards, you could check:

• Additional information relating to cloud services to be found in
  • ISO/IEC 17788,
  • ISO/IEC 17789 and
  • ISO/IEC 22123-1.
• Cloud portability support and exit strategies
  • ISO/IEC 19941.
• information security and public cloud services
  • ISO/IEC 27017.
• PII protection in public clouds
  • ISO/IEC 27018.
• Supplier relationships for cloud services
  • ISO/IEC 27036-4 and
• cloudservice agreements
  • ISO/IEC 19086 series,
• security and privacy specifically covered by
  • ISO/IEC 19086-4

• guidance on ICT readiness for business continuity :
  • ISO/IEC 27031.
• guidance on business continuity management systems
  • ISO 22301 and
  • ISO 22313.
• guidance on BIA
  • ISO/TS 22317.
• information on ICT security evaluation
  • ISO/IEC 15408 series.

Some free stuff: https://ffwd2.me/FreeISO

So, what IS new then??

For the hardcore perfectionistas: yes, the ISO27002 does update and change some the security controls, to be more modern.

Also the structural approach in the ISO27002 is now PPT, correction PPPT: Physical, People, Process and Technology (logical security tools).

But more important, major changes are actually present in the ISO27001 management clauses, not really in the ISO27002 (considering a reshuffle).
The most important update on the level of governance, compliance and audit DOES contain some important updates.

And it will be more result based, related to risk.

Do you want to know what has changed significantly, in de management processes, have a look at the presentation I hosted with PECB:

https://youtu.be/Vm8d-vIBNvo

You can download the presentation from slideshare:

ISO/IEC 27001:2022 – What are the changes? from PECB (at SlideShare)

And there is more interesting stuff as extra, on this LinkedIN article:

• How Does the New Revision of ISO/IEC 27002 Affect ISO/IEC 27001 (PECB Insights Magazine, 25 mar 2022)

Background info

• How Does the New Revision of ISO/IEC 27002 Affect ISO/IEC 27001 (PECB Insights Magazine, 25 mar 2022)
• PECB Event collaterals: ISO/IEC 27001:2022 – What are the changes? (LinkedIn)
• Webinar info: ISO/IEC 27001:2022 – What are the changes?
• Link of the recorded webinar on YouTube: https://youtu.be/Vm8d-vIBNvo
• Slides of the webinar: ISO/IEC 27001:2022 – What are the changes? from PECB (at SlideShare)

Conclusion

So, there is some work to do, moving from ISO27001:2013 to ISO27001:2022…

But make your life easy, fix the ISMS implementation now, update your SoA using the ISO27002 translation tables.
Watch out for the extra requirements in ISO27001 (As Koenraad Béroudiaux rightfully mentions on LinkedIn: check clause 4.4 and 8.1).

More info in the webinar.

Get ready!

It’s not perfect, send your feedback.

If you got improvement suggestions, let me know.

We can always make it better, together.

I’ll update the blog post and files with constructive suggestions.

Need more?

If you are curious about the topics below, let me know.

• personal use spreadsheet for SoA mapping 2022 and 2013 version
• personal use spreadsheet ISO27002:2022 categories to keep using the ISO27001, the same way you did before (organizing your ISMS with 14 business functions like management, HR, CISO, dev, legal, operations, …)

You know were to find me here on LinkedIn, here on Twitter, by mail, or direct messaging via Signal and other.