Excelling at Excel, Part 4

Posted on by

Excel is the emperor of automation. Not the SOAR type, but the local one – yours.

Why?

Its formulas and VBA capabilities can turn many awfully mundane tasks into plenty of automation opportunities…

For instance… certain programming tasks.

The case/switch syntax is a beautiful construct. It allows us to define a large set of complex if/then statements in a very elegant way. It is very often used to split a data/value set into conditions that determine the result/output/outcome based on the input.

Now, there are some programming languages that do not support case/switch statements well (not a part of its functional specification, introduced in late versions hence not fully compatible, etc.).

Writing case/switch statements for these languages is TOUGH. This is because their limitations often force us to rely on a bunch of NESTED IF clauses… Writing many of these, nested, is not for the faint-hearted. Typos, incorrect number of opening or closing parenthesis, and overall — getting lost in the complexity of this nested logic is very easy.

And this is where Excel can help a lot.

Imagine a hypothetical scenario where you have to write a code that gets this input data (names that are a loose set of Value1, Value2, Value3) to generate the output (A, B, C, D, E) based on peoples’ names:

It’s pretty straightforward in case/switch supporting programming languages to define rules based on this set, but if the only thing available are nested ifs – it’s much harder.

Let’s try though…

The first idea we can tackle is to convert these 3 values (some are empty) to an array of per-row list of values:

You will admit that the List column looks more ‘programmer friendly’ now.

The formula that produces the values in the List column is obscenely simple:

We simply build a parenthesis-embraced list of values where the first one is always present, and the two others are added only if the respective cells are not empty.

Trivial!

But how do we convert this list of values into a programmatic construct that gives us A, B, C, D or E depending on the name (one of these three values/per row)?

This is one way to do it (using ternary operator):

(if (name in ('John', 'Jack', 'Anne') ? 'A' : (if (name in ('Peter') ? 'B' : (if (name in ('Kate', 'Leo') ? 'C' : (if (name in ('Paul', 'Ariel', 'Fyodor') ? 'D' : (if (name in ('Amy', 'Maria') ? 'E' : "N/A"))))))))))

If you are curious where the formula comes from — it is from the very same spreadsheet – it is the value of the F2 cell:

And how did we build this one?

This is how:

What we do here is building a basic ternary logic where we take the one part of the comparison from the current row, and then the alternative is taken from the row below. In the end, the sort-of recursion happens and we end up with a sequence of nested ternary operators doing its work.

It may be a bit surprising, but using Excel for building complex logical statements like the one above, the one that in the end can be pasted directly to your favorite programming editor is actually very easy…

You benefit from the fact the input data is saved in Excel format and is easy to edit, plus – as long as the formulas are correct – the resulting nested constructs are written (generated) in a syntactically correct way and with far less chances to introduce a basic typo error.

Shall we say… Good bye, phishing queue? Part 2

Posted on by

In my older piece I argued that we should stop caring about phishing alerts. Of course, it was a bit of a parable…

Still, there is a lot of quick wins I described there that can be implemented/incorporated into phishing workflows easily – as long as you have some sort of automation/SOAR in place…

As I mentioned back then, any emails marked as phish that come from all these ‘noreply’, ‘no-reply’, ‘donotreply’ mailboxes coming from well known domains can be (most of the time) auto-closed w/o any investigation…

Easy to say, but what are these really…?

While I have personally collected a long list of these nothingburger email senders before, I got curious how many of these generic ‘do not reply’ type of email accounts are really out there, and not within a single company’s scope, but in general (that is, just email account names hosted on popular domains that belong to the ‘do nothing’ category).

If asked about listing these passive account names from the top of your head I bet you would start with ‘noreply’, ‘no-reply’, and all the variants of ‘donotreply’, then you would perhaps follow with ‘contact’, ‘info’, ‘abuse’, ‘webmaster’, and so on and so forth, but … this is just a guesswork. I thought this approach was too speculative and that we can build a more more comprehensive list of these w/o guessing. And mind you, this IS a very difficult request to fulfill. Unless you work for a company working in the mail security business, that is…

And since I don’t, let’s get creative…

I wrote a quick & dirty script that goes through a batch of files containing email addresses extracted from various public e-mail dumps. It reads them one by one and it tries to extract some basic stats about them. A lot of results are quite boring and non-actionable, many are discarded ‘on the fly’, but after running it for a few days, adjusting it here and there, my goal of building an _inaccurate_ histogram of the most commonly used do-not-reply account names started to bring fruits. And while I am writing this, my script is still running, but there are a lot of juicy results already, so I am going to share them below…

Before I do so, let me help you with an interpretation.

For every account name I am listing, try to find out if any of these come from the domains that are generally trustworthy. And the good news is — chances are, many of them contribute to your phishing alert volumes!

For example, a noreply@facebook.com is trustworthy, but noreply@skdjfhskdjfgj.com is not.

Now that we have all these pieces of information in place, let’s look at the actual list of email accounts of ‘no interest’:

  • info@
  • mail@
  • admin@
  • net@
  • office@
  • sales@
  • contact@
  • master@
  • life@
  • best@
  • webmaster@
  • email@
  • home@
  • support@
  • purchase@
  • myspace@
  • boss@
  • sample@
  • style@
  • smile@
  • av@
  • online@
  • accounts@
  • design@
  • box@
  • test@
  • web@
  • service@
  • www@
  • world@
  • null@
  • bill@
  • live@
  • no@
  • post@
  • game@
  • hot@
  • off@
  • new@
  • marketing@
  • all@
  • spam@
  • shop@
  • club@
  • demon@
  • sex@
  • org@
  • hi@
  • team@
  • kontakt@
  • student@
  • house@
  • games@
  • here@
  • work@
  • city@
  • job@
  • fly@
  • free@
  • hello@
  • weber@
  • top@
  • fun@
  • user@
  • money@
  • player@
  • auto@
  • personal@
  • price@
  • link@
  • time@
  • beauty@
  • manager@
  • geo@
  • manu@
  • seo@
  • jenkins@
  • project@
  • dummy@
  • photo@
  • business@
  • company@
  • records@
  • show@
  • productions@
  • foto@
  • legend@
  • dev@
  • space@
  • cash@
  • miles@
  • first@
  • bot@
  • help@
  • core@
  • facebook@
  • beer@
  • blog@
  • unit@
  • agent@
  • song@
  • flash@
  • opt@
  • list@
  • noemail@
  • gaming@
  • secret@
  • ads@
  • travel@
  • market@
  • football@
  • speed@
  • trade@
  • mini@
  • freedom@
  • services@
  • postmaster@
  • ebay@
  • corp@
  • staff@
  • unknown@
  • lost@
  • bug@
  • login@
  • moto@
  • editor@
  • sound@
  • force@
  • vkontakte@
  • wizard@
  • english@
  • people@
  • party@
  • abuse@
  • dhl@
  • fedex@
  • ups@
  • studio@
  • play@
  • submit@
  • biuro@
  • yahoo@
  • soft@
  • account@
  • booking@
  • kids@
  • adidas@
  • system@
  • expert@
  • freelife@
  • forum@
  • mailbox@
  • photography@
  • fantasy@
  • production@
  • administrator@
  • designer@
  • chef@
  • inbox@
  • official@
  • social@
  • minecraft@
  • shopping@
  • paypal@
  • united@
  • entertainment@
  • customerservice@
  • creative@
  • consulting@
  • reception@
  • invitado@
  • consult@
  • vision@
  • away@
  • network@
  • education@
  • robot@
  • nomail@
  • nothing@
  • digital@
  • solutions@
  • taxi@
  • training@
  • noreply@
  • today@
  • agency@
  • purchasing@
  • security@
  • commerciale@
  • community@
  • studios@
  • connect@
  • newsletter@
  • nobody@
  • food@
  • youth@
  • oops@
  • construction@
  • society@
  • registrar@
  • transport@
  • audio@
  • nospam@
  • member@
  • junkmail@
  • secretary@
  • enquiry@
  • surveys@
  • articles@
  • enterprise@
  • bookings@
  • segreteria@
  • information@
  • communication@
  • commercial@
  • event@
  • photos@
  • yourmail@
  • central@
  • inform@
  • tours@
  • operator@
  • factory@
  • direct@
  • import@
  • realtor@
  • misc@
  • xpress@
  • virtual@
  • premium@
  • amazon@
  • capital@
  • research@
  • exclusive@
  • biznes@
  • oracle@
  • corporation@
  • summit@
  • inquiry@
  • daemon@
  • massage@
  • officiel@
  • associates@
  • culture@
  • cartoon@
  • navigator@
  • platinum@
  • poczta@
  • sazonova@
  • redaktion@
  • local@
  • website@
  • partners@
  • johncena@
  • realestate@
  • firefox@
  • resident@
  • advertising@
  • anonim@
  • source@
  • technik@
  • response@
  • mobility@
  • traffic@
  • custom@

There are many more and I recommend that you look at your phishing queue and analyze senders, and people who are too trigger-happy to submit phish reports to your SOC. Stats like this can give you plenty of opportunities to both automate auto-closures, and educate trigger-happy users.