Lifehack: Anticipating phishing test mails

Ever thought to outsmart phishing exercises and have Microsoft Outlook alerting you for phishing, upfront?

You can.

In short

Set a mail rule that

  1. inspects the mail headers for X-PHISH and/or PHISHINGTEST tags…
  2. Moves the incoming mail to a folder
  3. Optionally flag the mail or set a category

Steps

Create a mail rule

Step 1: Select condition

Set : “specific words in the message header”

Set the tags

  • X-PHISH
  • PHISHTEST

There might be some variations on these tags.

Additionally, if you know phishing test mails are sent from specific domains… add the domain/mail server

Step 2: move it to specified folder in your mailbox

Other options

Some other ideas: set mail alerts or use Power Automate to alert you… (but that’s for another article)

Disclaimer

Obviously it only works for these specific mail header tags, if phishing tests use different headers or other approach, you’ll need to adapt. Don’t take this solution for granted.

And worse, the real stuff… is still out there attacking you.

Stay alert, don’t click on mails and links you don’t expect!

Advanced

While you never should click on any suspicious mail, suspicious links or links in these mails… it still might be a good exercise and learning item to inspect the mail header info.

Look for anomalies in

  • mail sender name and published address mismatch with mailbox listed
  • sender vs reply-to mismatch
  • mail server mismatch with originating server
  • mail domain mismatch with originating domain

Advisory – Best practice

If you suspect a mail to be the real thing, actual phishing, better report the mail as spam and forward it to your local CERT or local cybersecurity authority for analysis (and domain URL blocking)…

And message your security team they failed the phishing test 😉

See also

Some info for mail server administrators 😉

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.