The Enabling Technologies Blog


Scott Barr / / Categories: Security, Phish Hunter

Recovering from Enterprise Phishing Attacks

What to do when users are phished

Much has been written about what consumers should do if their home accounts get phished.  But here’s a comprehensive list for recovering from enterprise phishing attacks.  We include advice for all affected parties: users, IT admins, and Security leaders.

For the end user:

  • Immediately tell the IT department and share as much detail about your actions as possible.
  • If you use the same login ID or passwords on other Internet apps (i.e. personal email or work-related CRM or HR apps), then change passwords on those sites as well.
  • Alert your contact list about the message. Attackers usually launch more spam/phishing messages to all contacts.  Each user who received the email should reset their password.  If they went ahead and entered any login information, their acct has likely also been compromised.
  • Make sure that your backup contacts—the e-mail or phone number that the mail provider could use to contact you if it sees suspicious use of your account—are current. In Office 365, navigate to the “Additional Security Verification” page (https://account.activedirectory.windowsazure.com/Proofup.aspx) to ensure the attacker has not changed your cell phone #, locking you out of the Office 365 account. Hit the “Restore” button if it seems they have.
  • Check your Outlook rules for new or modified rules (File/Info/Rules and Alerts)
  • Check Outlook signature for changes and verify any hyperlinks are correct
  • Learn from the phishing incident and don't take the bait no matter how tempting

For the IT Pro:

  • Isolate the impacted computer from network
  • Reset the user’s password
  • Enable the user for Multifactor Authentication (especially those in accts payable/execs)
  • Perform A/V anti-malware scan on the computer
  • Search for anomalous Sent and Deleted items in the affected inbox
  • Review modifications to mailbox, including rule changes, permissions changes, etc.
  • Investigate potential lateral movement within the network (if the attacker elevated to administrator privileges on the machine, confirm admin passwords are changed on servers)
  • Use the Office 365 compliance center to search/purge for that email in case others have it that you don’t know about. https://support.office.com/en-us/article/Search-for-and-delete-email-messages-in-your-Office-365-organization-Admin-Help-3526fd06-b45f-445b-aed4-5ebd37b3762a
  • Verify and/or update security and operating system updates
  • Review Event logs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-sign-ins
  • Review autostart software/apps, using Sysmon from Sysinternals and investigate
  • If there's any doubt if the computer has been compromised, reimage or redeploy
  • Review spam filters, malware filters, connectors, and transport rules for potential modifications to prevent future phish with similar characteristics
  • Verify and/or add SPF, DKIM, and DMARC DNS records and plan to set DMARC to p-reject
  • Keep all software up-to-date
  • Stay abreast of common threats, tools/techniques to combat phishing and ransomware
  • Take advantage of built-in Windows security tools like Windows Defender

 

For the Chief Security Officer:

  • Ensure the impacted users are provided with a debrief on what likely happened (many who have their accts compromised won’t admit to having been phished, but something happened)
  • Make other users aware of the current threat
  • Adjust training to include new lessons learned
  • Stay abreast of common threats, tools/techniques to combat phishing and ransomware
  • Support IT Pros in their efforts protect, detect, and respond with training, proper tools/licensing that meet your organizations business needs/requirements
  • Employ Microsoft or 3rd party SaaS security capabilities like Office 365 ATP, Advanced Threat Analytics, Windows Defender ATP to prevent, detect, and respond

 

To more proactively find and remediate phishing issues, see Enabling’s Phish Hunter solution.

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author: