Q.U.A.S.E.: uma metodologia ágil para diagnóstico de ataques de phishing
Resumo
O presente artigo apresenta a metodologia Q.U.A.S.E., desenvolvida para facilitar a identificação de indícios de phishing em e-mails por parte de usuários finais. Fundamenta-se em cinco elementos, permitindo uma rápida avaliação de conteúdo suspeito. A metodologia se propõe ser de fácil aplicação e baixo custo de treinamento. A proposta tem sido praticada desde o primeiro semestre de 2022 em treinamentos internos no Tribunal de Contas da União (TCU). Os resultados obtidos em turmas anuais demonstraram a eficácia no alcance de resultados de simulações de ataques de phishing como parte de programa continuado de educação de usuários.
Referências
AICD (2022). Cyber Security Governance Principles. Australian Institute of Company directors (AICd) and the Cyber Security Cooperative research Centre (CSCrC). [link].
Alabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, v. 12, n. MDPI, p. 168.
Bassett, G., Hylender, D., Langlois, P., Pinto, A. and Widup, S. (2022). Verizon Data Breach Investigations Report (DBIR). Verizon. [link].
Caridi, C., Dwyer, J., Emerson, R. and Singleton, C. (feb 2024). X-Force Threat Intelligence Index 2024. . IBM. [link].
CISA-FBI (2024). Update to Phishing General Security Postcard. CISA - Cybersecurity and Infrastructure Security Agency - FBI | MS-ISAC | ACSC | NCSC-UK | CCCS | ANSSI | BSI | CERT NZ | NCSC-NZ. [link].
Dawkins, S. and Jacobs, J. (nov 2023). NIST Technical Note 2276 - Phish Scale - user guide. NIST (National Institute of Standards and Technology). [link].
Ell, M. (2024). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
FBI (2023). Internet Crime Report. Internet Crime Compliant Center (IC3) - Federal Bureau of Investigation (FBI). [link].
Herzog, P. (2016). The Open Source Cybersecurity Playbook. Institute for Security and Open Methodologies (ISECOM)/Barkly. [link].
Johns, E. (2023). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
Lella, I., Tsekmezoglou, E., Theocharidou, M., Magonara, E. and Malatras, A. (2024). ENISA Threat Landscape (ETL) Report. European Union Agency for Cybersecurity (ENISA). [link].
McCabe, E. (2023). Blueprint for Ransomware Defense. ISACA. [link].
Merritt, M. et al. (2024). NIST Special Publication 800-50r1. National Institute of Standards and Technology.
Mimecast (2024). The State of Email & Collaboration Security Report 2024. Mimecast. [link].
MOURA, Gerges de; OERTING, Troels (2019). The Cybersecurity Guide for Leaders in Today’s Digital World. World Economic Forum (WEF).
MS-ISAC (2023). Phishing Guidance - Stopping the Attack Cycle at Phase One. . The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). [link].
Radicati (2024). Email Statistics Report, 2021-2025. The Radicati Group, Inc. [link].
Siadati, H. et al. (2017). Measuring the Effectiveness of Embedded Phishing Exercises.[link].
Sjouwerman, S. (2024). Which phishing emails fooled the most people. KnowBe4. [link].
Terranova (2024). Phishing Benchmark Global Report. Microsoft; Terranova Security. [link].
Alabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, v. 12, n. MDPI, p. 168.
Bassett, G., Hylender, D., Langlois, P., Pinto, A. and Widup, S. (2022). Verizon Data Breach Investigations Report (DBIR). Verizon. [link].
Caridi, C., Dwyer, J., Emerson, R. and Singleton, C. (feb 2024). X-Force Threat Intelligence Index 2024. . IBM. [link].
CISA-FBI (2024). Update to Phishing General Security Postcard. CISA - Cybersecurity and Infrastructure Security Agency - FBI | MS-ISAC | ACSC | NCSC-UK | CCCS | ANSSI | BSI | CERT NZ | NCSC-NZ. [link].
Dawkins, S. and Jacobs, J. (nov 2023). NIST Technical Note 2276 - Phish Scale - user guide. NIST (National Institute of Standards and Technology). [link].
Ell, M. (2024). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
FBI (2023). Internet Crime Report. Internet Crime Compliant Center (IC3) - Federal Bureau of Investigation (FBI). [link].
Herzog, P. (2016). The Open Source Cybersecurity Playbook. Institute for Security and Open Methodologies (ISECOM)/Barkly. [link].
Johns, E. (2023). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
Lella, I., Tsekmezoglou, E., Theocharidou, M., Magonara, E. and Malatras, A. (2024). ENISA Threat Landscape (ETL) Report. European Union Agency for Cybersecurity (ENISA). [link].
McCabe, E. (2023). Blueprint for Ransomware Defense. ISACA. [link].
Merritt, M. et al. (2024). NIST Special Publication 800-50r1. National Institute of Standards and Technology.
Mimecast (2024). The State of Email & Collaboration Security Report 2024. Mimecast. [link].
MOURA, Gerges de; OERTING, Troels (2019). The Cybersecurity Guide for Leaders in Today’s Digital World. World Economic Forum (WEF).
MS-ISAC (2023). Phishing Guidance - Stopping the Attack Cycle at Phase One. . The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). [link].
Radicati (2024). Email Statistics Report, 2021-2025. The Radicati Group, Inc. [link].
Siadati, H. et al. (2017). Measuring the Effectiveness of Embedded Phishing Exercises.[link].
Sjouwerman, S. (2024). Which phishing emails fooled the most people. KnowBe4. [link].
Terranova (2024). Phishing Benchmark Global Report. Microsoft; Terranova Security. [link].
Publicado
01/09/2025
Como Citar
GARCIA, Helton; NUNES, Rafael Rabelo; SOUZA NETO, João.
Q.U.A.S.E.: uma metodologia ágil para diagnóstico de ataques de phishing. In: SIMPÓSIO BRASILEIRO DE CIBERSEGURANÇA (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 710-722.
DOI: https://doi.org/10.5753/sbseg.2025.10509.
