OODA Loop: A phishing decision cycle with Enveloperty

by | Mar 10, 2020 | Behavioral InfoSec


Email is an adversarial ecosystem, a head to head contest. Attackers are trying to get you, just as you are attempting to dodge them and get to your own people. OODA loop gives structure to how humans interact with a new scenario and decide on action, in said adversarial circumstances. The idea is this is a teachable and repeatable framework your employees can use with Enveloperty. To hackers, your employees are prey. Just like in the wild, being a little slow or sloppy can cost you. You never know when some predator is going to jump out at you. This framework gives them a definite way to handle whatever comes.

1.) Observe

 What about this message is odd?

The first step is to have a concept that something isn’t right. Call it a spidey sense, or a big red block next to an email, something needs to get you alerted. Then you can start taking in information about your situation.

For example, you open an email from a persona registered to a vice president, but there is a yellow suspicious label on it. The email is asking for a wire transfer to pay a vendor, which is normal for this person. But the yellow label is making you suspicious.

2.) Orient

How does this oddity relate to what I’m doing?

This doesn’t make sense. You email this guy frequently and he is very important, everything needs to be green. The yellow warning means the sender isn’t trusted for the persona they are sending to. So you look at the sender address, and compare it to a previous green email you got from him. It looks the same to you, but the alert is there for a reason. Turns out the sender of this email used a latin character to pretend to be your vice president contact.

3.) Decide

How do I handle this?

Now you have caught someone trying to spear phish you pretending to be a vice president you email, now what? For starters, you know the leak came from the vp. He was the only one to have that address, attribution. Since they spoofed his address but didn’t use his actual address you know it isn’t business email compromise.

4.) Act

How many button clicks to solve?

Now it is time to put the plan into action. This is important to do as frictionless as possible. If the acting portion requires too much effort, victims are encouraged not to report. With Enveloperty, it is four clicks to authoritatively remove a contact from emailing you. This isn’t adding the sender to some black list, it entirely removes their single point of contact with you. So they can try to resell that address or send from different accounts, it won’t get to you.