Identifying Phishing and Mitigating It

Most phish attempts start from obtaining users’ passwords then proceed to downloading of payloads so that the end systems can be controlled remotely.

Attacker subsequently gathers info to propagate infection, disables security and attempts privilege escalation (eg. dumping payloads to vulnerabilities within the network). It may also includes encrypting of critical data (typical ransomware attack) then requesting payment to decrypt them.

The result of a successful phishing attack is usually targetted at causing financial losses but its impact entails far more damage.

Impersonating colleagues

One scenario may be a junior staff receiving instruction from their manager claiming to be overseas and instructing his/her staff to urgently remit money to a bank account due to a last minute agreement/purchase.

In this scenario, the manager account is compromised and the pepertrator is monitoring the account and send the phishing email using similar signature and writing style to trick the recipient to pay an unknown party.

The attempt would be for a amount that is large enough but yet not trigger a phone call to the manager.

Impersonating suppliers

Another scenario would be, when a customer’s email account is compromised, it is monitored for correspondence between the compromised account and his/her suppliers.

The perpetrator then registers a misspelled domain (1 as L or I, I as L) that is similar to domain of one of the suppliers that has bigger transactions with the customer.

Subsequently, a phishing email is then sent to the compromised account claiming to be from the supplier using the mispelled domain registered. The phisher the impersonate as the supplier, requesting any upcoming payments to be sent to a different bank account (under a different name) citing issues with their bank.

If successful, both customer and supplier will suffer financial loss (one from not getting paid and the other from paying to an unknown party).

Mitigation

In above scenarios, enabling MFA – where logins are challenged with a code sent to registered mobile number or via authenticator, may alleviate the issue.

MFA may be also be configured to be required only when users are signing in from unfamiliar IP addresses outside of their corporate network.

It would be ideal to prevent getting compromised from the start by implementing firewall web filters preventing users from reaching a phish site.

There are also phishing simulation (Defender for Business for Microsoft 365) that will simulate attacks to train users detect emails that looks like phishing attempts. (For users that fail the simulation, they may be requested to go for a friendly coffee session – aka retraining on how to detect phishing.)

IT department may also geo-target the authentications to be allowed only from within a fixed number of geolocations and monitor audit logs for malicious attempts and react accordingly.

Phishing attempts usually start with a forged email with a link for users to authenticate and then initiates an install of malware to the system.

Phishing/malware links can be blocked/prevented using a mix of firewall web-filtering and application layer control.

Don’t have MFA/2FA? Synchronization of emails taking too long? – contact us to sign up for Office 365.

If you require reviewing or securing your network, feel free to contact us. We will be happy to assist you.

A Microsoft-based phish simulation tool is available with Microsoft Defender Plan 2. It is ideal for administrators that would like to run simulations prior to conducting training to users.