How to filter phishing campaigns like

In this post, we are going to teach you how to (potentially) filter mails from phishing campaigns that your employer sends to you. “But Steven, isn’t it a bad idea to teach users how to do this?” Look, buddy, it’s the job of the IT department to make sure that malicious mail doesn’t reach their inbox in the first place. I’m just helping them help themselves so they don’t accidentally click on one of these mails and have to sit through a soul-draining special training. Besides, if you’re a power user who reads this blog you are already clever enough to spot most real malicious mails.

What makes phishing mails from your employer a pain in the ass is that your IT department has opened the doors for them. Although everything about them would trigger your anti-spam solutions, the IT guys have made exceptions and special rules so these mails end up in your inbox. Which is the opposite of what they’d normally be doing. Because logic.

Fortunately, that helps us track down these phishing mails and helps us to block them using rules in Outlook. Here’s how you get the job done.

First of all, you need to open one of the phishing mails in your inbox.

  • Don’t click any links (otherwise you’ll get fake points deducted) but double click the mail so it opens in a new window
  • In the new window, go to File and then click “Properties”

In the “Properties” window, scroll down to the “internetheaders” section. Copy all the content you see there and paste it in your favorite text editor.

Next, you will need to know what tool your employer is using for their phishing campaigns. How you achieve that is up to you. You could ask IT, click one of the link or simply look for anything that sounds familiar. What you need to do next, is search the headers for anything that resembles the name of the vendor. These headers start with X- and usually look something like X-((OurPhishingCompany)). Once you have found a header that matches the vendor your employer is using, copy it.

Next, we are going to create a rule in Outlook. It’s best to do this in the online version of Outlook for the Office365 users amongst us.

In Outlook, click the three dots for “more settings.

  1. Click …
  2. Click Rules > Manage rules

In the “Rules” tab, click “Add new Rule”

  • Choose a name for the rlue
  • Under “Add a Condition”, choose “Message header includes”. For the value, type the header that you discovered in the e-mail. You can also add multiple headers if you’re not sure
  • Under “Add an action” choose the option you want to take. In my case, I am moving all mails to a special folder where they’re never read.
  • Finally, save the rule.

And that’s it! If you’ve set things up properly, you should never see a single phishing campaign in your inbox again. If at first you don’t succeeed, try looking at the header content for other headers to try. Experiment until you get it working. To help you get started, we have a list of headers that have worked for us. Feel free to comment your own in the replies!

List of headers


Discover more from PowerUser Guide

Subscribe now to keep reading and get access to the full archive.

Continue reading