Safeguarding Productivity

Post-Phishing Attempt Actions

It was a well-laid plan. The format of his fake email address matched his real one. The request was delivered to a couple of senior staff members individually who should feel loyalty to the new CEO, and since he was new in the job, a desire to be helpful (there was no reason not to be). The phish was direct in its request – the standard iTunes giftcard scam, and “eight of them please.” The reasoning was plausible … “I’m in a meeting,” “it’s for important clients,” blah blah blah. The attacker responded quickly to the reply email from the senior staff member and applied further the pressure of time since she was about to bite the phish, seeking to win agreement that she would act now, buy the cards as directed, and yes, send the numbers through by photo. Because, “it’s for important clients,” and “can you do it for me please?”

But the spear-phishing attempt failed, because she didn’t know about iTunes giftcards, and thus had to ask other people for directions. And with not having a corporate credit card, she’d have to get authorisation for funding from somewhere else. The CFO wasn’t buying it. That got the warning bells ringing. And brought the whole thing to a sudden stop.

Crisis averted – for now, anyway. But it was a well-laid plan.

Here’s hoping the IT team knows enough about security capabilities in Office 365 to do something proactive – more than just an email out to all staff to warn them to “be careful out there.” That’s the most basic response. But what about going further, for example:

  • Using Content Search in Office 365 to look for the offending sending email address to see how widespread the attack was.
  • Using PowerShell in Exchange Online to automatically delete all instances of email messages from threat-laden email address across all Exchange Online mailboxes.
  • Setting up mail flow rules to capture future instances of email messages coming from that address to intercept them and route them to a SecOps team/mailbox. The CEO confirmed that the fake email address was not his real one, and therefore an actor with malicious intent is using it, and therefore sanitising it at the boundary would make sense to me. If it’s not valid now, it won’t be valid in the future.
  • Asking senior leaders for their real personal email address(es), and then setting up additional mail flow rules to protect invalid variants of those personal addresses.
  • Using the anti-impersonation settings in Office 365 E5 to prevent (or greatly reduce the likelihood of validity) for impersonation type attack.
  • Setting up mail flow rules to look for keywords commonly used in the iTunes gift card scam, and thus flag those messages automatically as being potentially suspicious or even routing them to the SecOps team for a while to check and sanitise.
  • Considering if an actor with malicious intent has current access to the Office 365 tenant, since the malicious actor knew the type of relationship that would be expected to exist between the CEO and the senior staff members, and also the email address format used at the organisation (first-letter-of-firstname.surname@). This is called business email compromise, where a malicious actor gains access through credential compromise and then observes what is happening to map the social relationships and then uses that knowledge in attacks that leverage social engineering factors to try to pull off such scams. Like the well-laid plan that almost worked.

You’d better be doing something to prevent similar occurrences at your place. It’s a dangerous world out there. Since the well-laid plan almost worked, you can bet it won’t be the last attempt.