Technology Decision Makers

last person joined: 21 days ago 

A group for those in nonprofit IT decision-making roles to connect with peers and share best practices. This Technology Decision Makers group is for nonprofit IT or MIS Directors/Managers as well as CIOs and CTOs to connect with their peers and share best practices. Topics for discussion include, but are not limited to: hardware and software management, product reviews, emerging technology, best practices, collaborating effectively with other departments, and management conundrums. Membership is restricted to IT staff at nonprofit organizations.

Advice on phishing attack

  • 1.  Advice on phishing attack

    Posted Jan 12, 2018 07:39

    I'm working with a nonprofit client who detected a spear-phishing attack yesterday.  It's a small shop, about 7 people, that's pretty well known locally.  It went down like this:

     

    11:44 AM – Ops Director gets the suspicious email from the agency's Executive Director's email address (the ED is out sick…) asking her to pay an attached PDF invoice for $45k.  The OD knows enough to ask the ED about such things before paying them, so

    11:46 AM – OD starts a new email thread (NOT a reply to the initial email), types the ED's address into the address line, and asks if ED had just made such a request.  (the "verification" email)

    11:50 AM – OD gets a message from the ED's email address saying "yes" (the "confirming" email).  But the email says "sent from Android" and the OD knows the ED uses iPhone, so she's now convinced it's fake and calls ED who doesn't answer (because she's really sick).

    12:59 PM – Another email from ED's address asking for status.

     

    Later in the day, the ED returns the OD's call and confirms she never made the request, and in fact was in bed sleeping almost the entire day.  So the OD asks me to look into it.  I congratulate the OD for her diligence and foiling the attack and remind her to ALWAYS get verbal confirmation.

     

    However, I'm still puzzled how the attacker was able to reply to the email sent by the OD to the ED asking for confirmation.  The OD has been through this before, so she didn't just reply to the original thread, but started a new email from Outlook for the "verification" email, yet the attacker was able to receive and reply to it with the "confirming" email.  The original email contained 2 PDFs, but neither had any links in them.  They are running O365, and I know the ED did a password reset within the last week; they been targeted before so I'm confident she would not have used a simple password.  We did look at the ED's Sent box, and the "confirming" email is not in there, so we don't believe they were inside her account when they responded to the "verification" email (or they cleaned up very well after themselves).

     

    We've since changed the ED's password again.  But if anyone has any idea on how the attacker could have replied to the new thread, I am all ears.  I could share the emails with anyone who wants to help.

    Thanks for all you do in your communities!



    ------------------------------
    Tom Anderson
    Founder
    IT4 Causes
    Midlothian, VA
    ------------------------------
    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 2.  RE: Advice on phishing attack

    Posted Jan 12, 2018 08:16
    Wow! Kudos to your coworkers for being able to foil the attempt.

    Did the OD really create a new email or simply reply-to and deleted any email address that didn't look right?

    I posit the issue is with ED's computer - compromised with a trojan that simply forwards all inbound email onto the phisher.

    ------------------------------
    Gregg Banse
    Director of Marketing & Business Development
    Lake Champlain Maritime Museum
    Vergennes, Vermont
    http://www.lcmm.org
    https://greggbanse.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 3.  RE: Advice on phishing attack

    Posted Jan 12, 2018 08:30

    We had a similar situation happen a few months ago.  With only 7 people I would ask everyone to change their password immediately.  Log into the O365 Exchange console, go to the recipient and then mailbox features and down to mobile devices.  Since you said android it should show any mobile devices that have connected to the account.

     

    Most importantly, have the ED go into their Outlook rules and look for any rules that may move email from specific people into a different folder or automatically delete it.  This is what happened with us.  All the replies were automatically being moved to a nested folder so the user never saw a single email from specific people. It's very likely that someone has been in the ED's mailbox for a while and figured out who did what in the organization and was able to target exactly who to send emails to.

     

    I would also check the ED's computer for viruses and malware ASAP since you said she opened two PDF's.  I've recently learned that PDF's can also contain imbedded scripts that can then install malware.

     

    Ritchie




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 4.  RE: Advice on phishing attack

    Posted Jan 12, 2018 08:42
    I like Ritchie's answer better.

    ------------------------------
    Gregg Banse
    Director of Marketing & Business Development
    Lake Champlain Maritime Museum
    Vergennes, Vermont
    http://www.lcmm.org
    https://greggbanse.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 5.  RE: Advice on phishing attack

    Posted Jan 13, 2018 12:27

    It's really important to understand if the message is spoofed, or actually coming from within the network. I like the message header analyzer service from https://mxtoolbox.com/EmailHeaders.aspx . If the message is coming from an external sender, then you may just block that address or look at updating your spam filter settings. If it's coming from an internal address, then it means you have a compromised account. In that case you need to assume that the entire contents of that mailbox are public. You also should reset that user's password AND enable MFA.  https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6 . If it isn't already enabled you should turn on audit logging in the Security Center to help identify the source of the attack, and use the message tracking logs to see what other messages may have been sent from the compromised account.

    support.office.com
    Azure multi-factor authentication is a method of verifying who you are that requires the use of more than just a username and password. Using MFA for Office 365 ...

    mxtoolbox.com
    ABOUT EMAIL HEADERS. This tool will make email headers human readable by parsing them according to RFC 822. Email headers are present on every email you receive via ...
    Matthew Eshleman | Chief Technology Officer
    Community IT Innovators | where technology meets mission
    meshleman@communityit.com |Direct: 202-449-6711 |Help Desk: 202-234-TECH
    www.CommunityIT.com| @CommunityIT | Linkedin




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 6.  RE: Advice on phishing attack

    Posted Jan 13, 2018 19:00

    Thanks to everyone for your suggestions! 

     

    Matthew,

     

    Looking at the headers revealed the email originated inside Office 365.  So we know we have a compromised account.

     

    In looking at Recipients as Ritchie has suggested, we identified a mobile device that the ED did not recognize, so we I Blocked that one.

     

    We have reset all passwords for all users in the site.  We will turn on MFA when staff are back in the office on Tuesday.

     

    I have turned on Audit Logging for all mailboxes using these instructions: 

    https://support.office.com/en-us/article/Enable-mailbox-auditing-in-Office-365-aaca8987-5b62-458b-9882-c28476a66918

    But I'm not sure what actions to log; I set it up to log MailboxLogIn, but I didn't see a way to log if someone changes rules.  Are there other actions you'd suggest we log?

     

    Richard,

     

    I didn't see any rules set up to forward externally, but what you recommend is good advice that I am also implementing via these instructions:

    https://blogs.technet.microsoft.com/exovoice/2017/12/07/disable-automatic-forwarding-in-office-365-and-exchange-server-to-prevent-information-leakage/

     

    Thanks again!

     

    Tom Anderson

    CEO, IT4Causes

    804.241.2555

    Thomas.Anderson@IT4Causes.org

    IT4Causes-logo-color180

     




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 7.  RE: Advice on phishing attack

    Posted Jan 13, 2018 16:20

    Wow!  Thanks Ritchie!  There were rules in the ED's mailbox to move messages with the specific invoice number to "RSS Subscriptions", and to also move messages from the OD there.  I'm still sorting through how they were able to access the account, but we forced password resets for the whole organization, and are re-scanning all of the computer.

     

    Thanks again for your help!

     

    Tom Anderson

    CEO, IT4Causes

    804.241.2555

    Thomas.Anderson@IT4Causes.org

    IT4Causes-logo-color180

     




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 8.  RE: Advice on phishing attack

    Posted Jan 13, 2018 16:42
    In addition to all the steps already suggested, I would also turn off forwarding to external domains for all accounts. In the event that a forward has already been set up, changing passwords will likely not disable it, and disabling forwarding to external domains is a simple additional step to further secure your accounts.
    Richard

    ------------------------------
    Richard McConnell
    Director, IT
    BSR
    San Francisco, CA
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 9.  RE: Advice on phishing attack

    Posted Jan 14, 2018 10:47
    Just wanted to thank everyone for this forum.

    Rarely do I review technology discussion forums and get so much out of them.

    There are some very good lessons learned and recommendations here.

    Best,

    Carlos

    ------------------------------
    Carlos Velez
    IT Manager
    Wellspring Philanthropic Fund
    New York, NY
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 10.  RE: Advice on phishing attack

    Posted Jan 15, 2018 12:40
    I know this wasn't part of the original question, but because I don't see it mentioned anywhere I want to say that I would STRONGLY encourage use of two-factor authentication for O365 (and same for Salesforce, Dropbox, G-Suite, etc.).

    It is not necessarily the easiest thing in the world to implement, but it exponentially reduces the likelihood of breached accounts.

    Tom, you didn't indicate whether this organization had implemented 2FA on O365, but given the breach you describe, I am guessing it was not in place.

    Setting up 2FA for Office 365 users

    One last note, if you have the option, choosing authenticator-based (also known as "smart token") 2FA is preferable to SMS-based 2FA. Either one is way better than not having 2FA at all, but if you can choose, smart token 2FA is a more secure choice than SMS 2FA.

    -JP

    ------------------------------
    Joshua Peskay
    Vice President
    RoundTable Technology
    joshua@roundtabletechnology.com
    www.roundtabletechnology.com
    ------------------------------

    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 11.  RE: Advice on phishing attack

    Posted Jan 15, 2018 15:58

    Josh,

     

    Thanks for chiming in.  2FA was not in place with this client previously.  It's now set up for the ED and OD, and will be rolled out to the rest of their staff tomorrow (after the holiday).  But I only see options for phone- or SMS-based 2FA in our cloud-only O365 tenant running E1 licenses, so we are going with that method.  If you know how to set up Smart Toke 2FA in O365 cloud-only, please let me know.

     

    Also, I would love to get an alert when a user adds a new device, so we can validate with the user that it's legit, but I don't see that as an option in Manage Alerts in Security and Compliance.  If anyone knows how to do that, I would love your sage advice!

     

    Tom Anderson

    CEO, IT4Causes

    804.241.2555

    Thomas.Anderson@IT4Causes.org

    IT4Causes-logo-color180

     




    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline


  • 12.  RE: Advice on phishing attack

    Posted Jan 15, 2018 16:23
    Tom,

    Here are the listed options for O365 below (from this link). The one I recommend you have people choose is this:

    Mobile app verification codeThe mobile app, which is running on a user's smart phone, displays a verification code that changes every 30 seconds. The user finds the most recent code and enters it on the sign-in page.


    Inline image 1


    --

    Joshua Peskay

    VP of Technology Strategy

    W/(207) 370-4647

    M/(917) 747-1154

    Subscribe to our newsletter

    Schedule a meeting with me

    Get support now






    2020 Nonprofit Technology Conference Logo  w/ Baltimore Skyline