mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-19 05:59:40 +03:00
886658219f
- Add mitre_f3 frontmatter block to 94 fraud-relevant skills (phishing, account takeover, banking malware, BEC, identity/KYC, payment/card fraud, money-mule/cash-out, ransomware extortion, DFIR, threat intel) - Map each skill to F3 v1.1 tactics + precise technique IDs, including the two F3-specific tactics ATT&CK lacks: Positioning (FA0001) and Monetization (FA0002) - All 123 F3 v1.1 technique IDs validated against the upstream STIX bundle (github.com/center-for-threat-informed-defense/fight-fraud-framework): 0 invalid IDs, 0 invalid tactics, 0 name mismatches, no placeholder IDs - mitre_f3 kept as a separate block from mitre_attack (F3 redefines several ATT&CK tactics for the fraud context) - Add docs/mitre-f3-mapping.md schema reference - Update README: F3 as the 6th framework, dedicated F3 section + badge
127 lines
4.9 KiB
Markdown
127 lines
4.9 KiB
Markdown
---
|
|
name: building-phishing-reporting-button-workflow
|
|
description: Implement a phishing report button in email clients with automated triage
|
|
workflow that analyzes user-reported suspicious emails and provides feedback to
|
|
reporters.
|
|
domain: cybersecurity
|
|
subdomain: phishing-defense
|
|
tags:
|
|
- phishing-reporting
|
|
- email-security
|
|
- incident-response
|
|
- security-awareness
|
|
- outlook
|
|
- microsoft-365
|
|
- soar
|
|
mitre_attack:
|
|
- T1566.001
|
|
- T1566.002
|
|
- T1598.003
|
|
- T1204.001
|
|
- T1534
|
|
mitre_f3:
|
|
version: '1.1'
|
|
tactics:
|
|
- reconnaissance
|
|
- resource-development
|
|
- initial-access
|
|
- stealth
|
|
techniques:
|
|
- id: T1598
|
|
name: Phishing for Information
|
|
tactic: reconnaissance
|
|
source: attack
|
|
- id: T1660
|
|
name: Phishing
|
|
tactic: initial-access
|
|
source: attack
|
|
- id: T1672
|
|
name: Email Spoofing
|
|
tactic: stealth
|
|
source: attack
|
|
- id: F1020.002
|
|
name: 'Create Fake Materials: Fake Website'
|
|
tactic: resource-development
|
|
source: f3
|
|
version: '1.0'
|
|
author: mahipal
|
|
license: Apache-2.0
|
|
nist_csf:
|
|
- PR.AT-01
|
|
- DE.CM-09
|
|
- RS.CO-02
|
|
- DE.AE-02
|
|
---
|
|
# Building Phishing Reporting Button Workflow
|
|
|
|
## Overview
|
|
A phishing reporting button empowers users to flag suspicious emails directly from their email client, creating a critical feedback loop between end users and the security operations center. Microsoft's built-in Report button is now the recommended approach, replacing the deprecated Report Message and Report Phishing add-ins. When combined with automated triage using SOAR platforms, reported emails can be classified, IOCs extracted, and remediation actions taken within minutes. Organizations with effective phishing reporting programs see 70%+ report rates in phishing simulations.
|
|
|
|
|
|
## When to Use
|
|
|
|
- When deploying or configuring building phishing reporting button workflow capabilities in your environment
|
|
- When establishing security controls aligned to compliance requirements
|
|
- When building or improving security architecture for this domain
|
|
- When conducting security assessments that require this implementation
|
|
|
|
## Prerequisites
|
|
- Microsoft 365 or Google Workspace with administrative access
|
|
- SOAR platform or automation capability (Microsoft Sentinel, Splunk SOAR, Cortex XSOAR)
|
|
- Dedicated reporting mailbox for phishing submissions
|
|
- Email security gateway with message retraction capability
|
|
- Security awareness training platform for feedback loop
|
|
|
|
## Workflow
|
|
|
|
### Step 1: Deploy Phishing Report Button
|
|
- Enable Microsoft built-in Report button via Security & Compliance Center
|
|
- Configure user reported settings: route to reporting mailbox and Microsoft
|
|
- For third-party: deploy KnowBe4 Phish Alert Button or Cofense Reporter
|
|
- Verify button appears in Outlook desktop, web, and mobile clients
|
|
- Configure report options: Report Phishing, Report Junk, Report Not Junk
|
|
|
|
### Step 2: Build Automated Triage Pipeline
|
|
- Configure reporting mailbox monitored by SOAR platform
|
|
- Auto-extract IOCs from reported emails: URLs, attachments, sender info, headers
|
|
- Submit URLs to VirusTotal, URLScan.io for reputation check
|
|
- Submit attachments to sandbox for dynamic analysis
|
|
- Check sender against known threat intelligence feeds
|
|
- Auto-classify: confirmed phishing, spam, simulation, legitimate
|
|
|
|
### Step 3: Implement Response Actions
|
|
- Confirmed phishing: auto-retract from all inboxes, block sender domain
|
|
- Confirmed spam: move to junk for all recipients
|
|
- Simulation email: mark as correctly reported, credit user
|
|
- Legitimate email: return to inbox, notify reporter
|
|
- Generate IOC report for threat intelligence team
|
|
|
|
### Step 4: Create Feedback Loop
|
|
- Send automated thank-you response to reporter within 5 minutes
|
|
- Include classification result when analysis completes
|
|
- Track reporter accuracy and engagement metrics
|
|
- Recognize top reporters in monthly security newsletter
|
|
- Feed reporting metrics into security awareness training program
|
|
|
|
### Step 5: Measure and Optimize
|
|
- Track mean time to triage (target: under 10 minutes automated)
|
|
- Monitor report volume trends and false positive rates
|
|
- Measure user reporting rate in phishing simulations
|
|
- Report on confirmed threats caught by user reports vs. gateway
|
|
- Optimize automation rules based on classification accuracy
|
|
|
|
## Tools & Resources
|
|
- **Microsoft Report Button**: Built-in Outlook phishing reporting
|
|
- **Cofense Reporter + Triage**: Enterprise phishing reporting and automated analysis
|
|
- **KnowBe4 Phish Alert Button**: Integrated reporting with simulation platform
|
|
- **Microsoft Sentinel**: SOAR automation for triage workflow
|
|
- **Proofpoint CLEAR**: Closed-loop email analysis and response
|
|
|
|
## Validation
|
|
- Report button visible and functional across all Outlook platforms
|
|
- Reported email arrives in dedicated mailbox within 60 seconds
|
|
- Automated triage classifies test phishing email correctly
|
|
- Auto-retraction removes confirmed phishing from all inboxes
|
|
- Reporter receives feedback notification with classification
|
|
- Metrics dashboard shows report volume and accuracy trends
|