Start by searching for the Internet history and the email on the workstation. Internet history first and then the email.
The condition code looks like (all from a default condition):
f() Main
if Url Name find []
or Url Name find []
When you run this code, it'll ask you the sites. If you have a large list like us you may need to do this in batches. If this yields results, look for the email that the person received as having the email and proof that the site was visited is what you need, but to really seal the deal make sure that you know the structure of the phishing site. Someone can only visit the second page of the site or post to a url if they capture details...
If you don't get a hit in the Internet History - time to pull out the full keyword search and comeback in the morning.
Get in touch if you want screenshots of the process...
No comments:
Post a comment