User has clicked phishing mail. How do you act?
Posted by w_wizard@reddit | sysadmin | View on Reddit | 86 comments
For context. I'm pretty early in my career and work at helpdesk in company with 5000+ employees.
Every now and then somebody calls us or rushes our door and screams in panic that they have clicked a phishing mail.
My go to actions have been this.
Disconnect computer from company network. Put computer in airplane mode and plugged charger.
After that reset password from AD and Revoke Sessions from Entra ID.
After this i usually put MS Defender Full scan running.
Meanwhile i check message trace from M365 Admin center that if this same sender managed to spread this mail to other users also.
After that i check Azure Sign-in logs for suspicious login attempts.
After the scan is complete and nothing is found i am instructed to give the computer back to user.
If something is found i let Defender clean it and run a new scan to double check. I guess if there would be still something i would re-install the whole machine.
I have let my senior colleagues to know that this kind of incident has happened and they seem very pleased and just carry on their day.
What troubles me, is MS Defender actually good enough to spot all the possible bugs?
What is your way of making sure that the computer is ready and safe to give back to user?
Sometimes i have also given a spare computer for the user meanwhile i work on their computer.
Also I have been wondering that is there a possibility that if i restore users data from OneDrive that the "bug" could "jump" from computer A to computer B using OneDrive? Is this just being paranoid or possible scenario?
I know that we have a external vendor who is also monitoring our systems and computers and we have some kind of EDR software installed to all computers but i don't ins and outs how these work.
Thanks for all the answers! I'm just curious to learn how to handle these kind of situations and i guess we are not the only company that has sloppy users that fat finger now and then.
SldgeHammr@reddit
Tell them they've lost mouse privilege's and take it away. Tell them they'll get it back once they've learned their lesson.
coak3333@reddit
I was going to say, a quick karaoke chop to the back of the neck. Realising now that is too humane
MBILC@reddit
Nuke it from orbit...
You can never 100% know, and no single tool can 100% protect you, why security is a layered approach.
There is always a risk acceptance. Some have the luxury of having spare systems on hand to swap out to said user, others do not.
A phishing email, depends what the payload was, was it simple data theft to collect login info? Or was it an info-stealer that had the user install something, or go to a site that required java to load a payload or something?
Question is then, what are you using for email protection that let said phishing email get past or not flag it?
imnotaero@reddit
If you nuke the computer of every person who reports having clicked a phishing email, you will discover that people will not report to you when they've clicked a phishing email.
When people self-report, you should thank them and bend over backwards to do everything to make the experience painless. The best way to do that is to have what you need in place to determine with acceptable confidence the intent of the attack and what was done.
Ensure you can collect evidence, and nuke the machine only if the evidence supports the approach. Be apologetic about it.
capetownboy@reddit
100000% this
SensitiveFirefly@reddit
This is the correct answer.
jam-and-Tea@reddit
Ug I hate this but you are so right.
krazul88@reddit
This is the intelligent approach to long term survival.
KindlyGetMeGiftCards@reddit
This is why we upgraded to Mac's, they are 100% hack proof, just ask any mac user, they will tell you, and keep telling you, then keep telling how awesome and secure it is.
We did have to increase the computer budget by 1,000,000% to accommodate the hardware changes and refresh after every apple announcement to reduce fomo.
Hmmmm, looking at the price of a new mac and a slightly used nuke, it maybe cheaper to go a nuke, well I'm off to the accounting department to crunch some numbers.
Kuipyr@reddit
We've upgraded to carrier pigeons and haven't had an incident since.
jam-and-Tea@reddit
upgrading to clay tablets but now we don't have enough storage space.
awit7317@reddit
Just watch out for those vegan Mac users that do CrossFit.
KindlyGetMeGiftCards@reddit
Dang, you said the V word, now they are going to come out of the woodworks, you know because wood is better for the environmental footprint for numerous reasons, then they will proceed to tell you about the reasons, in detail.
jl9816@reddit
Yes. Nuke it.
If they clicked on phissing link the can wait for pc to be reimaged....
SinoKast@reddit
I agree, cost of doing business.
Competitive-Dog-4207@reddit
Do you guys just do a standard windows installation media reinstall and wipe everything?
SinoKast@reddit
Usually toss the hard drive, replace it and load an image. Sometimes toss the whole unit if it's old enough and image a more recent workstation.
e358c878@reddit
lmao, you do all of that for clicking a link? I suggest you learn some security basics
krazul88@reddit
@SinoKast, what happens to the drives you "toss" ??
SinoKast@reddit
We have a bin for such things that gets picked up yearly by a bonded ewaste company for destruction, among other electronics that have special disposal needs.
SinoKast@reddit
And yes, we have a key and the company has a key. Also always under surveillance. I work in the casino industry, highly regulated on that front.
Drew707@reddit
e358c878@reddit
This is beyond wrong. It's a fucking link. What shitty world do you live in that you're getting popped by 0day JavaScript breaking out of a Chrome sandbox?
You need to understand actual threats and threat models.
ie-sudoroot@reddit
And no internet access for a month except for some training access.
spaetzelspiff@reddit
Nuke the user from orbit, then deal with the device.
saturatie@reddit
No security tool can catch everything. Some will still slip through.
The-IT_MD@reddit
cubic_sq@reddit
For us…
isolate user devices, pending fully wipe and rei stall
checklist of 43 items (current number)
disk image user device if required - then wipe and reinstall
We have found full wipe and reinstalls to be more effective in getting users to remember to not click….
thortgot@reddit
The actual damage being done is very rarely on the endpoint, what they are primarily after is the theft of a session token.
Azure Sign In Logs will not always show suspicious activity.
Assuming you aren't using phishing resistant credentials.
Revoke all MFA sessions for the user
Force user credential change (the password is can be leaked whether the user says they typed it in or not).
Look at the actual endpoint for potential infection (99.99% of the time there won't be anything but that doesn't mean you shouldn't check).
If you are going to wipe the device TAKE A BACKUP FIRST. Way too many people are advocating for removing all the actual information about the breach without doing any info gathering.
Visible_Spare2251@reddit
This is good. In my (limited) experience, step 1 is the most important these days with AiTM and Business Email Compromise attacks.
And I like point 4. There was a thread on here the other day where a sales person got caught out and had his laptop wiped and everyone here seemed to take so much joy in the fact he lost all of his files without warning.
xtheory@reddit
Cyber engineer here. Just to add to that, once I've destroyed all of the tokens on the workstation/laptop in question and have removed any sensitive company data including LSASS stores, I'll reconnect it to an isolated network with internet access with wireshark running to capture what outbound connections it's making and see if they match any known C2 servers that a threat actor could be operating. I note that and then do a search of network traffic logs to see if there's any other endpoints on my network communicating with those IPs. On occasion there could be a zero-day vulnerability along with a ransomware payload that could've been downloaded as part of the phish that could propagate across the network. God forbid if there's a high-sev RCE involved. If so I want to know what other systems I need to take offline for sanitization.
harbinger-nz@reddit
Or, redeploy OS from your favorite device management platform. As an engineer for a large MSP in my city, I carry a standard base image that can be quickly blown on to any major vendor hardware (Dell, HP, Lenovo etc) in about 10 minutes, then configure onto their local domain, or 365 tenancy.
We have automation set up for clients that subscribe to that service, but for the clients that can't afford that, this is the best option for a full recovery with absolute guarantee it's clean.
I usually invoice 1.5 to 2 hours when setting up on workbench away from client site, and that's effectively only 30 minutes of actual work. The rest is gravy time for us MSP folk who have timesheets.
I thought 2 hours was pretty fair and represented value to client, especially after hearing from one client their previous MSP charged 6 hours for a user account setup.
xtheory@reddit
I think you might have missed my point. Of course reimage the compromised system after having done you post-mortem and investigation, but preserving it, sanitizing sensitive data, and then reconnecting it to the internet outside of your corporate LAN gives you the opportunity of gathering IOCs to look for on your network and other connected devices that could've also been compromised.
cliffspooner@reddit
This is the answer.
Vinny376@reddit
Remote into their PC, make them think they're being hacked, make them afraid to click anything without reading.
Commercial_Growth343@reddit
Clicking on a phishing email usually doesn't mean they were hacked. In most cases you have to actually type your password - that is the whole idea of a phish. So if the user did not do that, I would not panic. But I would look at the phish email, make sure I submitted it to my phishing filter provider. I would see if I can do anything else that might stop others from clicking on it, to help such as reporting the URL to Microsoft and Google. Your firewall vendor may also have a submission page for URL's. I might block the domain the phish came from. I might block the domain in the URL as well - depending on what it is.
malikto44@reddit
There are degrees of interacting with a phishing email. The first is selecting to show pictures, which will ensure the phishing site knows the email address is valid, since someone clicked on it. Then a visit to the site, up to and including entering credentials. Even if credentials are not entered, tokens can be snarfed. At a previous MSP, I started using KnowB4, and what a user tells me they did with a phishing email is completely different than what the results were in some cases. For example a user telling me they "just clicked" on it, when the report shows they gave all their details.
GolfballDM@reddit
I wouldn't assume that the user is telling the truth about entering (or not) their credentials to a phishing site.
DominusDraco@reddit
I dont care if they click on a phishing link, I care if they entered their credentials.
Isolating the endpoint is a waste of time, its a phishing attack, not a virus.
-Reset their password.
-Force sign out any sessions
-Check the registered MFA devices, the first thing they usually do is register their own MFA device to regain access later.
-Check no mail has been sent or forwarding has been set up.
JustifiedSimplicity@reddit
This plus:
If it was a large campaign and you have a solid SWG in play, run the url through a search to see if anyone else clicked the link and wash rinse repeat the first steps as needed with additional victims.
Or you know, nuke it, piss off the end-user, diminish the confidence of the business in IT’s ability to act rationally and pat yourself on the back for “keeping the business secure”
Awkward_Not_@reddit
This. I like to get the email myself during this too and do a quick 5 minute investigation to see if I need to go any further and bother with the machine (which is rare).
Run the eml for through phishtool and see what it picks up. Run the links through urlscan to verify what the user may have seen and/or did. Run attachments through joesandbox and see if it has any "malicious payloads" hidden in there.
But 90% of the time, it's just a fake Microsoft sign-in page or a pdf with a QR code in it.
e358c878@reddit
You are the only knowledgable person in here. It's wild the people living in the 90s that think they're getting popped by ActiveX RCE....
WheredMyMindGo@reddit
What everyone else said plus report it to HR. Their management needs to reinforce training or write ups.
DeadbeatHoneyBadger@reddit
Check inbox rules. Usually there’s something addd their when a user gets compromised
No_Resolution_9252@reddit
You seem to be focusing on the desktop instead of the damage. The damage malware does now, isn't so much on the endpoint, but on the loss of data/credentials/etc.
Cycl_ps@reddit
Don't forget to check for any new app registrations on the account. Attackers have been using email app connections to get some persistence on the account, creating mailbox backups and sending out email blasts to push the phish further. Do a search for PERFECTDATA and you should find some writeups on it.
LordFalconis@reddit
As MBLIC said, nuke it. Just went through this but on a phone. You do not know how buried the payload is or if it will self install again. Back in the early 2000 had a coworker whose son got a virus found one file like 12 folders down. Even after I thought I cleared it off, it reinstalled itself. Wiped machine and reinstalled windows than all was good.
Check your message logs for anomalies and check if any rules were created in the users account. When I did this I found a rule named "." which was hiding emails as part of the scam.
e358c878@reddit
Everything you said is nonsense. There is no "buried payload" executing in a sandboxed browser and infecting a machine, short of some unpatched RCE or unknown 0day. Which, if you have that, you're fucked anyway.
You need to update your knowledge past the year 2000.....
10gistic@reddit
I appreciate some voice of reason in here. There are some real r/masterhacker vibes in these responses. PhishMe et all are a major harm to real security IMO and their marketing is doing their best to convince people who don't know better that the threats from phishing outside a national security context are significantly worse than they really are.
vzeroplus@reddit
I would be more concerned that a 5k+ org doesn't have a defined process/toolset for this already.
hops_on_hops@reddit
Believe it or not, jail.
ShakeEnBake@reddit
They put the wrong password?
JAIL.
BlameDNS_@reddit
You take away their computer and give them a wooden computer instead. If they fall for another phishing email, take away the wooden computer and give them a rape whistle.
unavoidablefate@reddit
Don't forget the mandatory cyber security training enrollment.
SinoKast@reddit
This is why managed security awareness it's worth it's eight in gold. I implemented MSA through Arctic Wolf and it's given me a lot of insights on who the problem employees are which then helps me train them.... as much as half the time it doesn't help.
BiddlyBongBong@reddit
Really enjoying Arctic Wolf as my cyber security platform. The concierge team for the MDR are fantastic
SinoKast@reddit
Yup, very hard to beat!
Sensitive_Papaya_723@reddit
make sure to check in Outlook for any new rules like forward email and delete old email
godspeedfx@reddit
If endpoint security didn't flag anything, we just revoke login sessions, MFA sessions, require re-register MFA. We're passwordless so nothing to do with that. Investigate the email / user account for forwarding, evaluate if it went out to / was clicked by anyone else, and give them the same treatment. Investigating with Defender for 365 is pretty automated.
If endpoint security flagged something, isolate machine and investigate exposure, then re-evaluate after findings. If no other exposure, wipe and restore w/ Autopilot and have a nice day. If spread, order pizza for the team and buckle up.
If it's actually just "phishing" and not malware, they only want a session / MFA token so they can use the account for social engineering. If they don't use the account to spread the attack, a simple session / MFA revoke, MFA reset, and password reset if you use them is sufficient.
SmallBusinessITGuru@reddit
This should be something that the Sr. System Administrators researched and documented for you in accordance with your company policies, as set by the IT Director/Manager.
I will say that given that you're stepping up and taking it on yourself, keep researching and document what you do and send it up the chain. Use that initiative to push yourself into that Sr. System Administrator role, and then just keep on keeping on with the good work.
The_Zobe@reddit
Welp…
catherder9000@reddit
I assume Fortiguard and Fortinet SOC are on top of it, I also assume Vipre EDR+MDR is on top of it and between the two it's been mitigated out the yingyang. I then pat my cyber insurance on the wallet and carry on with my daily grind.
I don't get paid to give a fuck about user stupidity, that's for upper management to worry about. IT did our job, our leveraged services did their jobs, we wasted money with KnowBe4 for some reason and that user(s) took the training.
I am not that invested emotionally to care about things beyond my direct control. It comes with age I suppose.
Sir_Swaps_Alot@reddit
Isolate and shame.
primalsmoke@reddit
Suggest that a procedure be set up for future incidents.
A runbook needs to be created.
Suggest that a better effort start to educate everyone on security. Security starts with each employee.
Seems like you are reaching for solutions which is commendable, however security should concern everyone.
Virtual_Ordinary_119@reddit
Sever user head. Then format PC and give it to some sentient human being
elpollodiablox@reddit
Do this first. You might also want to disable his account while you get things under control.
You'll also want to check the rules in their mailbox, including client-only rules.
Next_Information_933@reddit
Generally I'll blacklist the endpoint in edr and then run a full scan. If they're a user on a shared computer that can move around easily I'll just wipe the mschine..
Vesalii@reddit
We went with MFA from "yeah... Whenever we find time" to "we need to deploy this in the coming weeks". A user getting phished was the wake up call we needed. We also have policies for who can log in and from where. Some users can only log in from within the network for example.
These are mitigation to set up thst vastly improve account security. Even if a user gets phished, it's likely from a far away country thst won't be able to do anything with the account.
torbar203@reddit
While MFA is definitely important to have, there's some phishing I've been seeing that will hijack the 365 session and bypass MFA. EvilNginx is the toolkit that it uses i believe
Vesalii@reddit
It's not perfect but it's a free upgrade to security that can stop or slow down at least part of the attacks when personal passwords get hijacked.
andpassword@reddit
...angry. I act angry.
mchetherington@reddit
To add to above, login to OWA and Outlook desktop and ensure no email rules have been applied that aren’t normal/expected.
PvtBaldrick@reddit
If this is a common issue then look at investing into a SOAR solution which will automate the response with a playbook.
You can also search for SOAR phishing playbooks online and look at the actions they do for your manual response...
actnjaxxon@reddit
At a minimum: * Reset all of that user’s session tokens * Rotate their password * scan all of the things
For the supper paranoid reset MFA if it isn’t a FIDO2 key or passkey.
kromedd@reddit
Also open outlook owa and check if any rules have been added.
Public_Cicada_6228@reddit
Revoke tokens, reset password.
Block the URL the user clicked on, including any redirect links to contain the phish. Block domain if necessary.
Depending on the phish, run a scan with whatever system you have.
Removing the network from the device isn't going to do anything if it's a run-of-the-mill phish.
patmorgan235@reddit
If you can nuke the workstation and reimage it.
You also want to check for any newly created inbox rules.
Sergeant_Fred_Colon@reddit
If the user has clicked on a dodgy link, then Barracuda safe link should pick it up and block it. If not, the web filter should pick it up and block it.
Accounts are behind 2fa and region lockouts.
In the unlikely event an account is actually compromised, check logs on Identity ect and reset the users accounts, make user go through reporting potential GDPR breach.
thortgot@reddit
Geo IP blocking only stops the absolute bottom barrel of criminal. Modern Evilnginx2 attacks incorporate proxy reflection that makes the connection come from your country.
Safe links will pick up known problem domains, if you are getting targeted they will generally craft a domain just for you.
contoso.com might have cont0so.com registered for a few months with legitimate traffic going back and forth to "validate" it as a real website. When the attack is ready to trigger after passing "new domain" thresholds, they will simply clone your website.
Using something like https://www.canarytokens.org/ to identify website clones will pick up more incidents then you expect.
The answer is to use phishing resistant creds.
Proof-Variation7005@reddit
Trimmed the fat out a little. Even still, I'd maybe cut this list down if the user clicked but never tried to log into anything.
That and just a quick refresher via email (pre-written) about what happened that gets sent over so they can't say "Nobody told me" later .
neko_whippet@reddit
im also in the burn the witch side :P
11524@reddit
Old yeller the user, step one.
Tools are in the locked shed out back.
joeytwobastards@reddit
Also check your web proxy and see what sites they tried to hit, and block if necessary
fieroloki@reddit
2fa?
3tek@reddit
The session tokens can get hijacked in the phishing site has EvilNginx running.
SilentSamurai@reddit
Ran through this more times than I care to remember: https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account