Gone Phishin’ – What to do if you suspect an attack

Recently, I have had many conversations with connections in several industries that have encountered a recent run of phishing emails. Some of them have fallen victim to an attempt to gain access to private information and, sadly, surrendered their credentials.

With the Notifiable Data Breaches scheme now tracking security incidents in Australia, it has revealed that phishing is the most commonly used method of cyberattack. Accounting for 39% of all breaches that have been reported to the Office of the Australian Information Commissioner¹.

How does it work?

The victim receives an email that is actually quite simple in format and lacks the grand sophistication of many malicious emails, but because of how “personalised” it is, and often arriving from a known sender, it succeeds. It often includes the logo or crest of the sending organisation and a link it entices the recipient to click (wording varies, but it might be “click here to see the image / attachment”. Upon clicking on the link, the victim is redirected to a website and prompted to enter their user name and password, giving them to the attacker. Simple but effective.

The attacker then accesses the victim’s email, usually Office 365, and mass-mails everyone in the victim’s address book or contacts list with the phishing email whereby the logo or crest can be substituted for the newly-compromised organisation’s identity. The cycle then repeats as more and more individuals are tricked into sharing their credentials.

So, it’s basically a mass spamming, right?

Yes and no. The first and most obvious problem is that the victim has given up their user name (often an email address) and password, effectively allowing the attacker to log on to systems they are authorised for. In the cloud world, this can be several different systems including email, CRM, file storage, and proprietary applications. The less obvious, but more serious issue, is the now-compromised access to potentially critical and sensitive data.

Oh yes – since we humans are well-known for using the same password in many places, what’s stopping an attacker from attempting to compromise other accounts belonging to the victim? Personal email? Banking? Other corporate systems? Other family members?

But changing the password will mitigate further damage, right?

Again, yes and no. While changing your password is the first thing you should do (and possibly disabling the account, which many have done as a first step), it doesn’t guarantee that the attacker hasn’t actually got access to, well, everything. Also consider that the attacker may have had access even after the password was changed if they still had a live session, and until the password change has actually replicated throughout the domain.

I’d strongly emphasis the victim also change their personal passwords at the same time, especially if they used the same now-compromised password.

How can I check if the password change has helped?

This is where logging can help. If you can figure out where the attacker has logged on from successfully, see if there are now failures from that same source. From a few I have seen, I have viewed logs with a number of successful logons followed by a number of failures that roughly coincided with the password change (with a bit of a lag, of course, as the password change replicates).

So why the lag? Won’t changing my password have an immediate impact?

In the cloud world, there are a lot of places to log on, serviced by several different servers, so a user logging on from Singapore won’t use the same server as Sydney, so until they synchronise, it can still be a live channel for the old password. It’s like making changes to DNS records that can take hours (and in the past, days) to replicate globally. Long story short, change the password the minute you get a whiff of a problem and get your IT team to immediately disable the account until you can sort it out. Speeds may vary – it all depends on your environment and this is also true if you still use on-premises infrastructure.

Password changed. I’m in the clear, right?

No. Your work has just begun. You now need to understand what the attacker may have accessed and what that data consists of. Be warned, it can get ugly but a level head and a calm approach are needed. You will need to consider any Privacy Act and Data Breach Notification implications and whether or not this constitutes a breach reportable to the Office of the Australian Information Commissioner (OAIC). You need to work with the relevant stakeholders and your legal team; I cannot and will not provide any legal advice and this blog should not be relied upon as such. I wrote an opinion piece on the whole thing some time ago; I hope you find it useful in this regard.

So, where do I start?

Besides the obvious action of changing passwords and disabling accounts, one of the first places I would start is understanding who else in your immediate organisation may have been compromised. This isn’t a time for blame-storming and finger-pointing (we’re all human and we make mistakes – remember that) but trying to figure out whose account has been breached and is blasting out phishing emails so you can close the other doors should be top of mind. Someone skilled in Office 365 and email systems can really help here. Look for a large volume of similar or identical emails… size, subject, anything you can use to find the suspect message. Handle those accounts.

If anyone else has received the message (and hopefully not clicked on it) have them delete it and, for goodness sake, if it’s in your junk folder, just delete it. Purge the rest if you can so others might not be tempted. If you can, gather up any forensic details and if you can trace the first instance of the message from another organisation (check the email header) you may want to give them the heads-up if they’re not already aware.

A really important step here is communications. Try to get in front of this thing and communicate with anyone that may have received it, urging them not to open it, immediately delete it, and provide a contact to handle the (sometimes vitriolic) fallout. Look, people are going to talk and put people on blast (usually on Facebook, Twitter, Instagram and other social media) but all you can do is try to inform accurately and quickly. Work with your internal team on this; they know how best to word things. Colleagues, business partners, your board of directors and broader industry, as well as parents and students if you’re an educational institution, all have their own nuances; be mindful.

It’s my opinion only, so take it as you will, but I’d stay away from outright admitting guilt. At this point, you don’t know if anything sensitive has been compromised, so avoid spooking people – we’re all pretty jittery as it is, with regards to cybersecurity. Again, I emphasise calm. At this point, as far as you are concerned, you’ve just been spamming people.

Passwords changed, accounts secured, communications sent. Now what?

Now that you have put out the fire, odds are it may still be smouldering. You need to consider whether or not you need additional countermeasures like blocking addresses, filtering, and so on – talk to your IT team or a consultant that specialises in Office 365. We know many, so let us know and we can do our best to help you out.

Roll up your sleeves; the real work begins.

This is where you really want to dig into your logs to understand the extent of the compromise (notice I didn’t say breach; we haven’t made that conclusion yet). If you have the advanced logging features as part of your service, they’re worth their weight in gold. If not, I’d suggest subscribing or turning them on. You’re looking for any information you can that links what the attacker may have been doing, to ascertain what they may have accessed.

In this day, we have a lot of systems interconnected, especially in the Office 365 world. There could be sensitive documents stored in your OneDrive, and you may have access to specific applications that contain sensitive data, so try to figure out if any of these have been accessed. Look for session details such as when the attacker connected, how long they stayed active, and the volume of data downloaded or accessed. Odds are that they’re behind a proxy router or other VPN and will be nearly impossible to trace so focus your efforts elsewhere – they may have connected from several points.

Here’s a scary thought: I have seen several instances where a mail client, like Outlook, was actually connected to the compromised account and the ENTIRE contents – inbox, deleted items, contacts, drafts, archive – was synchronised. Watch out for these. Not to frighten you but rather to make you aware.

You will have to ask some hard questions like what information has been sent and received via email, stored in the cloud, or accessible via their login. We all say and do some things in email we’d rather the rest of the world not know, so now is the time to be straight-up. Ask if that data were to be made public knowledge, what would the consequences be? Is there any kind of financial or personally identifiable information (PII) available? This is the greasy one: will anyone come to harm (physical, financial, reputational, and emotional) as a result? Again, just my opinion, but there is a pretty big gap between a little embarrassment and reputational ruin.

It’s very subjective and this is why you need your legal team involved. Before you officially report a breach, you need to be reasonably certain that one has occurred and can back it up with evidence. Thankfully, in Australia, we have more time (30 days) to conduct an investigation because when it comes to the European Union (EU) General Data Protection Regulation (GDPR), they only have 72 hours.

Where to from here?

We’re human and we make mistakes, but we can also learn from these mistakes and ultimately, it makes us a lot sharper, better informed, and capable of looking out for one another. There are some great organisations out there that can help you with the investigation, and help going forward by equipping you with the technical and administrative controls that can mitigate future incidents. Sometimes it’s not just controls, but turning ourselves into those controls and I know of several organisations that do an outstanding job in educating us from both a technical and behavioural perspective.

Ask lots of questions. If you click on a link and it asks you for your login details, don’t. Easier said than done, I know, but unless you are 100% certain about its legitimacy, ask. Pick up the phone, go see your IT team, talk to your manager, anything you need to do in order to be sure. Heck, ask me or my colleagues if you have to!

Reach out to me anytime, we all need to look out for one another.

Stay safe out there.

1. Office of the Australian Information Commissioner. (April, 2019). Notifiable Data Breaches Scheme 12-month Insights Report. [Online] Available at:https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/ndb-scheme-12%E2%80%91month-insights-report.pdf