Q.U.A.S.E.: an agile methodology for phishing attack diagnosis
Abstract
This article presents the Q.U.A.S.E. methodology, developed to facilitate the identification of signs of phishing in e-mails by end users. It is based on just five elements, allowing a quick assessment of suspected messages. The methodology aims to be easy to apply and has low training costs. The proposal has been practiced since the first half of 2022 in internal training at Brazilian Federal Court of Accounts (TCU). The results obtained in annual classes have demonstrated the effectiveness in achieving results from phishing attack simulations as part of an ongoing user education program.
References
AICD (2022). Cyber Security Governance Principles. Australian Institute of Company directors (AICd) and the Cyber Security Cooperative research Centre (CSCrC). [link].
Alabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, v. 12, n. MDPI, p. 168.
Bassett, G., Hylender, D., Langlois, P., Pinto, A. and Widup, S. (2022). Verizon Data Breach Investigations Report (DBIR). Verizon. [link].
Caridi, C., Dwyer, J., Emerson, R. and Singleton, C. (feb 2024). X-Force Threat Intelligence Index 2024. . IBM. [link].
CISA-FBI (2024). Update to Phishing General Security Postcard. CISA - Cybersecurity and Infrastructure Security Agency - FBI | MS-ISAC | ACSC | NCSC-UK | CCCS | ANSSI | BSI | CERT NZ | NCSC-NZ. [link].
Dawkins, S. and Jacobs, J. (nov 2023). NIST Technical Note 2276 - Phish Scale - user guide. NIST (National Institute of Standards and Technology). [link].
Ell, M. (2024). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
FBI (2023). Internet Crime Report. Internet Crime Compliant Center (IC3) - Federal Bureau of Investigation (FBI). [link].
Herzog, P. (2016). The Open Source Cybersecurity Playbook. Institute for Security and Open Methodologies (ISECOM)/Barkly. [link].
Johns, E. (2023). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
Lella, I., Tsekmezoglou, E., Theocharidou, M., Magonara, E. and Malatras, A. (2024). ENISA Threat Landscape (ETL) Report. European Union Agency for Cybersecurity (ENISA). [link].
McCabe, E. (2023). Blueprint for Ransomware Defense. ISACA. [link].
Merritt, M. et al. (2024). NIST Special Publication 800-50r1. National Institute of Standards and Technology.
Mimecast (2024). The State of Email & Collaboration Security Report 2024. Mimecast. [link].
MOURA, Gerges de; OERTING, Troels (2019). The Cybersecurity Guide for Leaders in Today’s Digital World. World Economic Forum (WEF).
MS-ISAC (2023). Phishing Guidance - Stopping the Attack Cycle at Phase One. . The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). [link].
Radicati (2024). Email Statistics Report, 2021-2025. The Radicati Group, Inc. [link].
Siadati, H. et al. (2017). Measuring the Effectiveness of Embedded Phishing Exercises.[link].
Sjouwerman, S. (2024). Which phishing emails fooled the most people. KnowBe4. [link].
Terranova (2024). Phishing Benchmark Global Report. Microsoft; Terranova Security. [link].
Alabdan, R. (2020). Phishing Attacks Survey: Types, Vectors, and Technical Approaches. Future Internet 2020, v. 12, n. MDPI, p. 168.
Bassett, G., Hylender, D., Langlois, P., Pinto, A. and Widup, S. (2022). Verizon Data Breach Investigations Report (DBIR). Verizon. [link].
Caridi, C., Dwyer, J., Emerson, R. and Singleton, C. (feb 2024). X-Force Threat Intelligence Index 2024. . IBM. [link].
CISA-FBI (2024). Update to Phishing General Security Postcard. CISA - Cybersecurity and Infrastructure Security Agency - FBI | MS-ISAC | ACSC | NCSC-UK | CCCS | ANSSI | BSI | CERT NZ | NCSC-NZ. [link].
Dawkins, S. and Jacobs, J. (nov 2023). NIST Technical Note 2276 - Phish Scale - user guide. NIST (National Institute of Standards and Technology). [link].
Ell, M. (2024). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
FBI (2023). Internet Crime Report. Internet Crime Compliant Center (IC3) - Federal Bureau of Investigation (FBI). [link].
Herzog, P. (2016). The Open Source Cybersecurity Playbook. Institute for Security and Open Methodologies (ISECOM)/Barkly. [link].
Johns, E. (2023). Cyber Security Breaches Survey - Official Statistics. . GOV.UK. [link].
Lella, I., Tsekmezoglou, E., Theocharidou, M., Magonara, E. and Malatras, A. (2024). ENISA Threat Landscape (ETL) Report. European Union Agency for Cybersecurity (ENISA). [link].
McCabe, E. (2023). Blueprint for Ransomware Defense. ISACA. [link].
Merritt, M. et al. (2024). NIST Special Publication 800-50r1. National Institute of Standards and Technology.
Mimecast (2024). The State of Email & Collaboration Security Report 2024. Mimecast. [link].
MOURA, Gerges de; OERTING, Troels (2019). The Cybersecurity Guide for Leaders in Today’s Digital World. World Economic Forum (WEF).
MS-ISAC (2023). Phishing Guidance - Stopping the Attack Cycle at Phase One. . The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). [link].
Radicati (2024). Email Statistics Report, 2021-2025. The Radicati Group, Inc. [link].
Siadati, H. et al. (2017). Measuring the Effectiveness of Embedded Phishing Exercises.[link].
Sjouwerman, S. (2024). Which phishing emails fooled the most people. KnowBe4. [link].
Terranova (2024). Phishing Benchmark Global Report. Microsoft; Terranova Security. [link].
Published
2025-09-01
How to Cite
GARCIA, Helton; NUNES, Rafael Rabelo; SOUZA NETO, João.
Q.U.A.S.E.: an agile methodology for phishing attack diagnosis. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 25. , 2025, Foz do Iguaçu/PR.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2025
.
p. 710-722.
DOI: https://doi.org/10.5753/sbseg.2025.10509.
