I'm working with a nonprofit client who detected a spear-phishing attack yesterday. It's a small shop, about 7 people, that's pretty well known locally. It went down like this:
11:44 AM – Ops Director gets the suspicious email from the agency's Executive Director's email address (the ED is out sick…) asking her to pay an attached PDF invoice for $45k. The OD knows enough to ask the ED about such things before paying them, so
11:46 AM – OD starts a new email thread (NOT a reply to the initial email), types the ED's address into the address line, and asks if ED had just made such a request. (the "verification" email)
11:50 AM – OD gets a message from the ED's email address saying "yes" (the "confirming" email). But the email says "sent from Android" and the OD knows the ED uses iPhone, so she's now convinced it's fake and calls ED who doesn't answer (because she's really sick).
12:59 PM – Another email from ED's address asking for status.
Later in the day, the ED returns the OD's call and confirms she never made the request, and in fact was in bed sleeping almost the entire day. So the OD asks me to look into it. I congratulate the OD for her diligence and foiling the attack and remind her to ALWAYS get verbal confirmation.
However, I'm still puzzled how the attacker was able to reply to the email sent by the OD to the ED asking for confirmation. The OD has been through this before, so she didn't just reply to the original thread, but started a new email from Outlook for the "verification" email, yet the attacker was able to receive and reply to it with the "confirming" email. The original email contained 2 PDFs, but neither had any links in them. They are running O365, and I know the ED did a password reset within the last week; they been targeted before so I'm confident she would not have used a simple password. We did look at the ED's Sent box, and the "confirming" email is not in there, so we don't believe they were inside her account when they responded to the "verification" email (or they cleaned up very well after themselves).
We've since changed the ED's password again. But if anyone has any idea on how the attacker could have replied to the new thread, I am all ears. I could share the emails with anyone who wants to help.Thanks for all you do in your communities!
We had a similar situation happen a few months ago. With only 7 people I would ask everyone to change their password immediately. Log into the O365 Exchange console, go to the recipient and then mailbox features and down to mobile devices. Since you said android it should show any mobile devices that have connected to the account.
Most importantly, have the ED go into their Outlook rules and look for any rules that may move email from specific people into a different folder or automatically delete it. This is what happened with us. All the replies were automatically being moved to a nested folder so the user never saw a single email from specific people. It's very likely that someone has been in the ED's mailbox for a while and figured out who did what in the organization and was able to target exactly who to send emails to.
I would also check the ED's computer for viruses and malware ASAP since you said she opened two PDF's. I've recently learned that PDF's can also contain imbedded scripts that can then install malware.
It's really important to understand if the message is spoofed, or actually coming from within the network. I like the message header analyzer service from https://mxtoolbox.com/EmailHeaders.aspx . If the message is coming from an external sender, then you may just block that address or look at updating your spam filter settings. If it's coming from an internal address, then it means you have a compromised account. In that case you need to assume that the entire contents of that mailbox are public. You also should reset that user's password AND enable MFA. https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6 . If it isn't already enabled you should turn on audit logging in the Security Center to help identify the source of the attack, and use the message tracking logs to see what other messages may have been sent from the compromised account.
Thanks to everyone for your suggestions!
Looking at the headers revealed the email originated inside Office 365. So we know we have a compromised account.
In looking at Recipients as Ritchie has suggested, we identified a mobile device that the ED did not recognize, so we I Blocked that one.
We have reset all passwords for all users in the site. We will turn on MFA when staff are back in the office on Tuesday.
I have turned on Audit Logging for all mailboxes using these instructions:
But I'm not sure what actions to log; I set it up to log MailboxLogIn, but I didn't see a way to log if someone changes rules. Are there other actions you'd suggest we log?
I didn't see any rules set up to forward externally, but what you recommend is good advice that I am also implementing via these instructions:
Wow! Thanks Ritchie! There were rules in the ED's mailbox to move messages with the specific invoice number to "RSS Subscriptions", and to also move messages from the OD there. I'm still sorting through how they were able to access the account, but we forced password resets for the whole organization, and are re-scanning all of the computer.
Thanks again for your help!
Thanks for chiming in. 2FA was not in place with this client previously. It's now set up for the ED and OD, and will be rolled out to the rest of their staff tomorrow (after the holiday). But I only see options for phone- or SMS-based 2FA in our cloud-only O365 tenant running E1 licenses, so we are going with that method. If you know how to set up Smart Toke 2FA in O365 cloud-only, please let me know.
Also, I would love to get an alert when a user adds a new device, so we can validate with the user that it's legit, but I don't see that as an option in Manage Alerts in Security and Compliance. If anyone knows how to do that, I would love your sage advice!
VP of Technology Strategy
Subscribe to our newsletter
Schedule a meeting with me
Get support now