How to Use Firewall Logs to Detect Phishing and Email-Based Threats

Using Phishing and Email-based Threats with Firewall Logs

Rakesh Kumar, CEO & Founder Director, P J Networks Pvt Ltd.

So here I am, at my desk after the third cup of coffee — still buzzing from DefCon’s hardware hacking village, and I gotta say, I’m excited about the role that firewall logs can play in the war against phishing attacks. I’ve been around since the dawn — been a network admin since ’93, fought with voice and data mux over PSTN, had my own hands on the Slammer worm firsthand (that was a wild ride), and now I run a cybersec consultancy.

I’ve witnessed the evolution of the threat landscape, but some pieces remain. Phishing is still the sneaky petty little devil it always was. But here’s the thing: firewall logs can be your best buddies when it comes to sniffling out those email threats.

Let’s get to it — because whether you’re running a bank or a small biz, killing off phishing early stops a problem before it snowballs into havoc.

Identify Suspicious Email Activity

In the earlier days, detecting shady traffic involved a lot more manual intervention — packet captures, protocol analyzers, you get the picture. Firewall logs provide a front-row viewHITRUST certification all the mail traffic that passes through your network.

Here’s a little refresher: firewalls log everything — incoming, outgoing, particular protocols (SMTP), ports, IP addresses, payload sizes, and packet flags in some cases. This is where firewall logs really come into their own, because they help you identify anomalies that just don’t work with your existing patterns.

Phishing emails are usually sent from a bad IP address or compromised other systems and often generate unusual connections that appear in firewall logs. For example:

  • Inbound SMTP traffic surges from unknown or recently registered IPs.
  • Outbound SMTP connections from arbitrary non-mail servers on your network (hi, pwn3d workstation!).
  • Known or atypical ports opening for email services (who else dynamically open TLS on strange land ports?

When I assisted a couple of banks deploy zero-trust architectures last few months, one of the coolest things we did was interleave firewall log monitoring tightly with their systems for phishing detection. Logs flagged rogue email-sending behaviors before the user had even realized something was wrong.

I know, I’m a little old school, but you have to trust YOUR eyes and gut, and not just automated alerts sometimes.

Monitoring SMTP Logs

SMTP is the backbone of email. But it’s also a plaything and a playground for attackers. Your firewall logs just about every SMTP session started or accepted on your network — and that is gold if you know what you are looking for.

Look out for:

  • Multiple connection attempts to outside mail servers that your organization doesn’t usually use.
  • Mail traffic from internal IPs that typically don’t send e-mail (desktops, IoT devices, etc.)
  • Large email message sizes sent en masse — possible data exfiltration or phishing with attachments.
  • SMTP sessions without or failed authentication — predominantly indicators of automated spam or a botnet being used to spam.

Here’s a little confession: I didn’t pay enough attention to SMTP logs early on in my career. Took them thin as background noise. Big mistake. When the Slammer worm struck, those logs were mission critical in determining how it propagated across the network. Fast forward, I always recommend that any SMTP events be a central part of your firewall monitoring.

And to all those claiming the accuracy of AI-powered email security solutions—don’t get me wrong, automation is useful but it CAN also produce too many false positives (or worse, false negatives). If that were the sole data set you had – your firewall logs – your output is raw data – no fluff, no interjection – just the facts. And those facts? Assist in triangulating threats before they explode into a bona fide breach.

Identifying Suspicious Outbound Requests

Phishing is often not about the email at all, but what comes afterwards. And they often phone home to command and control servers, or download extra payloads the moment you click that link.

This is where firewall logs shine, by calling attention to:

  • Outbound connections to unusual domain names or IP addresses your system has marked as being malicious or unfamiliar.
  • Unusual spike of DNS queries or HTTP/S requests from mail client machines to dubious URLs.
  • Unusual patterns of traffic — a user machine, for example, suddenly sending SMTP outbound or making HTTP POSTs on non-standard ports.

From a practical standpoint, I always recommend implementing logging filters on outbound requests with the following characteristics whenever I work with clients:

  • Outbound traffic to new or unrecognized domain names (possible phishing redirect).
  • Higher number of ephemeral connections to multiple external domains — phishing infrastructure often leverages fast-flux domains.
  • Connections to IP addresses not previously covered by your geolocation rules

And remember — an outbound request is at least sometimes going on under the hood. The user may never know their machine is calling home to the back end of a phishing site in an attempt to download more malware. Firewall logs catch that.

Blocking Malicious Domains

After getting these malicious domains or IPs tagged using the logs of the firewall, the next logical step would be to block them. This is where the tight coupling of detection and prevention pays off big.

  • Blacklist those domains/IPs on your firewall.
  • Waves IP’s, DNS filtering, natively on the firewall to prevent any resolving queries to the list of known phishing sites.
  • Rule act blocking the outbound traffic on the uncommon ports that are typically used by the phishing campaigns to bury and avoid detection.
  • Refresh blocklists frequently — phishers rotate domains faster than you can say password123.

I’m somewhat skeptical of blacklists, commercial or otherwise, or inside threat intelligence feeds on their own. They’re useful. But the stronger countermeasure comes from your own contextual fluency from watching your firewall logs and where a feed, sorta like a chef following and inventing a recipe rather than exactly following instructions.

In a recent collaboration with a bank, we automated the extraction of domains from firewall logs and correlated them to blocklist in real-time — reducing the reach of phishing links by almost 80% within weeks.

Strengthening Email Security

Firewalls log suspicious activity, but an entire ecosystem for email security is composed of spam filters, anti-spyware tools, etc. Without improving your email posture, if you only track logs, you are simply plugging holes in a leaky ship.

Steps that I preach to my clients and swear by (👍):

  • Deploy DKIM, SPF and DMARC extensively — they allow your vectored mail servers to verify whether the emails are legit before they even reach the user’s inbox.
  • Use segmentation of your email servers on your network — split your inbound/outbound functions — to mitigate lateral movement in the event of a compromise.
  • Make sure multi-factor authentication is used on any email gateway as well as systems with admin access. No exceptions.
  • Educate users continuously — phishing is a moving and dynamic target, so your people need to be on the ball as well (and strongly encourage them to “become more secure” is not enough — I’m talking to you, lazy password policies).
  • Combine firewall logs together with SIEM tools for event correlation — detecting advanced phishing campaigns means connecting the dots your logs are trying to tell you.

At PJ Networks, we have been able to witness firsthand what occurs when firewall monitoring is paired with phishing protection to deliver results that cannot be achieved with just endpoint tools. Firewall logs provide the pulse of your email traffic, and paired with layered email security, you put the brakes on phishing dead in its tracks.

Quick Take

  • You should, at some level, have a zero buffer and binary sense of what is acceptable SMTP activity—unknown IPs, incorrect ports, and unauthorized senders should show up somewhere in firewall logs.
  • Your first line at catching malicious mails before its user is monitoring SMTP logs.
  • Calling home to possibly malicious domains after an email can indicate second stage phishing payload activity.
  • Aggressively block known bad domain/IPs at your firewall level; do keep an update cycle rapid.
  • Email security is more than tech, it is process — SPF, DKIM, DMARC + user awareness + MFA = best combo.

Here’s the deal — firewall logs aren’t solely the domain of nerds hunched over monitors (though, ahem). They’re the front-line defense that everybody should be using more effectively. I’ve worked in this field for too long to encounter another tool with more direct raw data and actionable insight.

If you don’t mine those logs for possible phishing patterns, you’re keeping your organization vulnerable.

All right. Time for a fourth coffee. But this is the takeaway: you’re flying blind in cybersecurity if your firewall and its logs aren’t talking to you loud and clear. Do not let phishing get snoozed — read your logs, lock your domains and keep on hardening your e-mail.

Stay safe out there,

Sanjay Seth

P J Networks Pvt Ltd

Cyber Security Consultant (since 1993)

Still fueled by nostalgia and coffee and the eternal search for threats.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.