This week while on-boarding a new customer, before we could even start we needed to help them recover from a compromise they had received before coming to us.
A user had suffered a phishing attack and had their Office365 email credentials stolen. Email phishing is the act of sending emails purporting to be an entity (such as Google) or an individual (such as your CEO), often using a crafted email with graphics and text from legitimate emails included to fool users into entering login information or opening an attachment. The attacker can then use the stolen credentials to gain access to your organisation, or use malware the user clicks on to gain a control channel into your environment.
In this case, the malicious actor had utilised a common method to compromise a business; They had taken control of the email account of a trusted business partner, and had then sent our client an email with a Dropbox link purporting to contain a legitimate looking business proposal.
This method is highly successful because when we receive an email from a known or trusted user, we tend to bypass our usual scepticism and control when it comes to clicking links or opening files. In this case, our client actually replied to the email and asked if it was legitimate. He got a reply ‘Yes it is, I need you to respond to it urgently’. As the business partners email had been compromised, the hacker could reply themselves in an attempt to validate the email. The client then opened the file which prompted him to login to Office365 to access to file, and his credentials were then stolen.
So how can we better protect ourselves from these sorts of problems? Email filtering won’t always help here as the emails actually coming from a seemingly legitimate user. But secure DNS and web filtering (such as what we deliver with our DNSProtect and WebProtect portions of our protect platform), would have helped prevent the user from inputing their details into a phishing site by blocking the phishing page from displaying in the clients browser. Not reusing passwords across accounts is another good practice to limit your exposure to any compromise should it take place. Additionally if the Dropbox link had instead contained malware, ransomware or a remote access tool (commonly called a RAT to security operators), an endpoint protection agent such as MalwareProtect and EndpointProtect would keep you safe.