Purpose:
Section titled “Purpose:”To ensure there is a standard process to review email
Scope:
Section titled “Scope:”Service Desk
Responsibility:
Section titled “Responsibility:”Service Desk
Completion Criteria:
Section titled “Completion Criteria:”If email is proven to be spam, or if the email passes all checks
Records:
Section titled “Records:”Halo.
Steps:
Section titled “Steps:”Review email via the SLAM method.
Sender
Is the sender valid?
Does the display name match the email address?
Is the domain name and email spelled properly?
Links
Are there links to websites? If so you can copy and paste and check the link in Virus Total: https://www.virustotal.com/gui/home/url
You can also open in the “Windows Sandbox” environment and review link.
Attachments
Are there attachments?
What is file type?
Can it be uploaded to Virus Total and scanned?
Can it be scanned via Sentinel One?
Can it be opened in sandbox for review?
Message
Does the message seem spammy?
Misspellings?
Makes sense?
Does it feel right?
What if it looks ok after SLAM?
Message Trace in Office 365
Was this sent to several users?
If email is sent to more than one person in the tenant, add the POC to the ticket and let them know each user that received the spam email, and that the users will need to delete the email as well.
If email is malicious, and the domain is malicious, block the domain, and notify the POC the domain has been blocked.
Review headers, DKIM, SPF, DMARC
If all looks legitimate, you can let the user know to check with the sender via phone if valid, and to always process with caution, but as far as we can tell, it is a valid email.
Use Template from Halo based off findings:
SLAM Pass
SLAM Fail Risk Low or Spammy
SLAM Fail Medium to High Risk of Spear Phish or Malicious
Process References:
Section titled “Process References:”- Create a relationship back to related process. Note: Please add KB relationships to core process, process, SOPs or other WIs on the right.