User has clicked phishing mail. How do you act?
Posted by w_wizard@reddit | sysadmin | View on Reddit | 136 comments
For context. I'm pretty early in my career and work at helpdesk in company with 5000+ employees.
Every now and then somebody calls us or rushes our door and screams in panic that they have clicked a phishing mail.
My go to actions have been this.
Disconnect computer from company network. Put computer in airplane mode and plugged charger.
After that reset password from AD and Revoke Sessions from Entra ID.
After this i usually put MS Defender Full scan running.
Meanwhile i check message trace from M365 Admin center that if this same sender managed to spread this mail to other users also.
After that i check Azure Sign-in logs for suspicious login attempts.
After the scan is complete and nothing is found i am instructed to give the computer back to user.
If something is found i let Defender clean it and run a new scan to double check. I guess if there would be still something i would re-install the whole machine.
I have let my senior colleagues to know that this kind of incident has happened and they seem very pleased and just carry on their day.
What troubles me, is MS Defender actually good enough to spot all the possible bugs?
What is your way of making sure that the computer is ready and safe to give back to user?
Sometimes i have also given a spare computer for the user meanwhile i work on their computer.
Also I have been wondering that is there a possibility that if i restore users data from OneDrive that the "bug" could "jump" from computer A to computer B using OneDrive? Is this just being paranoid or possible scenario?
I know that we have a external vendor who is also monitoring our systems and computers and we have some kind of EDR software installed to all computers but i don't ins and outs how these work.
Thanks for all the answers! I'm just curious to learn how to handle these kind of situations and i guess we are not the only company that has sloppy users that fat finger now and then.
thortgot@reddit
The actual damage being done is very rarely on the endpoint, what they are primarily after is the theft of a session token.
Azure Sign In Logs will not always show suspicious activity.
Assuming you aren't using phishing resistant credentials.
Revoke all MFA sessions for the user
Force user credential change (the password is can be leaked whether the user says they typed it in or not).
Look at the actual endpoint for potential infection (99.99% of the time there won't be anything but that doesn't mean you shouldn't check).
If you are going to wipe the device TAKE A BACKUP FIRST. Way too many people are advocating for removing all the actual information about the breach without doing any info gathering.
xtheory@reddit
Cyber engineer here. Just to add to that, once I've destroyed all of the tokens on the workstation/laptop in question and have removed any sensitive company data including LSASS stores, I'll reconnect it to an isolated network with internet access with wireshark running to capture what outbound connections it's making and see if they match any known C2 servers that a threat actor could be operating. I note that and then do a search of network traffic logs to see if there's any other endpoints on my network communicating with those IPs. On occasion there could be a zero-day vulnerability along with a ransomware payload that could've been downloaded as part of the phish that could propagate across the network. God forbid if there's a high-sev RCE involved. If so I want to know what other systems I need to take offline for sanitization.
harbinger-nz@reddit
Or, redeploy OS from your favorite device management platform. As an engineer for a large MSP in my city, I carry a standard base image that can be quickly blown on to any major vendor hardware (Dell, HP, Lenovo etc) in about 10 minutes, then configure onto their local domain, or 365 tenancy.
We have automation set up for clients that subscribe to that service, but for the clients that can't afford that, this is the best option for a full recovery with absolute guarantee it's clean.
I usually invoice 1.5 to 2 hours when setting up on workbench away from client site, and that's effectively only 30 minutes of actual work. The rest is gravy time for us MSP folk who have timesheets.
I thought 2 hours was pretty fair and represented value to client, especially after hearing from one client their previous MSP charged 6 hours for a user account setup.
Accomplished_Sir_660@reddit
This is why no one should ever trust an MSP. "I usually invoice 1.5 to 2 hours when setting up on workbench away from client site, and that's effectively only 30 minutes of actual work. The rest is gravy time for us MSP folk who have timesheets."
So its okay to pad your timesheet at the customers dollar? Your nothing but a thief.
harbinger-nz@reddit
Wow, salty much, tell me you've never worked MSP without saying you've not worked MSP.
Accomplished_Sir_660@reddit
You should be arrested. Your loyalty is to your customers, but your too worry about padding your paycheck. You are the reason MSP will never survive. Go to prison thief.
MBILC@reddit
You are spending your time waiting for windows to install, then doing what ever else work, that is YOUR time required to be at the client to do the recovery.
Every industry does this, with min hourly rates for X work especially if travel time is included in that.
harbinger-nz@reddit
Where I work here in NZ, we charge $150 /hr for office-based MSP support, and $185 /hr for on-site support. Given I've worked in MSP's here 10 years ago that were charging these same prices, so in effect it's proving our rates are very reasonable against 2014 pricing.
I personally try for 6 billable hours a day (including our AYCE clients) to justify my existence as an employee, with the full reality being out of those 6 hours:
3 hours pays for my daily wages. I got bills to pay. Bloody 7.2% interest rate on my mortgage.
1.5 hours pays for the staff not generating income - The book keeper, the procurement team, the cleaner, the receptionist.
1 hour pays for the company vehicle, fuel card, insurances on that, as well as the business liability insurance stuff.
0.5 hours is left over for the boss to make a profit, to you know, keep employing me.
xtheory@reddit
I think you might have missed my point. Of course reimage the compromised system after having done you post-mortem and investigation, but preserving it, sanitizing sensitive data, and then reconnecting it to the internet outside of your corporate LAN gives you the opportunity of gathering IOCs to look for on your network and other connected devices that could've also been compromised.
Crafty_Individual_47@reddit
must be fun to have pile of 100’s laptops waiting to be checked.
xtheory@reddit
I can usually avoid having to do that by running queries against traffic logs via our IDR SIEM or by going through Splunk that pulls traffic logs into Splunk from the edge firewalls and routers. I’ve built a lot of automation to make it super efficient.
Crafty_Individual_47@reddit
If it is a 0-day I can ensure there will be connections to ”known C2 servers”. Way too much work for a user clicking on a link that can happen 100x a day. Reimage and move on.
xtheory@reddit
There’s usually some tell tale signs whether something is a C2 server even if it’s not known. The age of the domain and its registered owner is one. A 0-day will usually be pretty brand new. There will also be evidence of payloads in the tcpdump if it’s not TLS encrypted, or if it is encrypted the certs used are from a private CA or a free CA like Letsencrypt that was just recently issued. You might also see evidence of data exfiltration via suspicious DNS requests and TXT records with md5 encoding. The traffic might also be heading to a foreign country like Russia, China, Iran, etc. There’s plenty of tools you can use to parse through them fast like Brim/Zui and apply Suricata filter queries to flag traffic that’s worth further scrutiny.
Ultimately, it comes down to your company’s resources for time spent following up with incident response and their acceptable level of risk. But if you’re one of those orgs that have been hit with ransomware, you know how critical and valuable it can be to have either an in-house or contracted SOC to deal with these cases and ensure that a compromise doesn’t spread out of control. Ideally you’ll have a decent IDS/IPS, best practices in place to prevent credentials from being stolen and prevent unauthorized access attempts, and EDR that uses more than just signature based detection.
Crafty_Individual_47@reddit
0-days are likely used in targeted attacks that renders most traditional detection methods irrelevant. i.e. relying on surricata or snort logs that are based on known signatures do not really detect anything.
xtheory@reddit
Correct, which is why I said you can’t rely on EDR that is purely signature based. Though 0-days are usually used for initial exploitation. The methods of payload delivery once privilege escalation is established or call backs to a C2 don’t usually change that much. It’s not too difficult to identify a suspicious outbound SSH or reverse shell via netcat or meterpreter if you know what to look for. Unusual POSTS and GETS when there is no open browsers or odd browser agents being used in HTTP/S traffic is a known canary to watch for. Suricata/Snort/Wireshark can be used with ease with the right queries to identify that in a mountain of packet caps.
babywhiz@reddit
I'm like, we also just take the hard drive out. I remember a few that used to persist on the hard drive back in the day. Quicker to getting the user up and running.
xtheory@reddit
There have been a few instances of UEFI malware that can persist even after a complete drop of all partitions and reformatting that are undetectable by EDR solutions, like MoonBounce and LoJax. If you're making sure to keep firmware updated and there are no zero-days affecting firmware on your devices, you should be fine. For high-security environments it's very customary to remove and destroy the hard drive and in some cases even motherboards of affected devices.
yankeesfan01x@reddit
https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account?view=o365-worldwide
Visible_Spare2251@reddit
This is good. In my (limited) experience, step 1 is the most important these days with AiTM and Business Email Compromise attacks.
And I like point 4. There was a thread on here the other day where a sales person got caught out and had his laptop wiped and everyone here seemed to take so much joy in the fact he lost all of his files without warning.
cliffspooner@reddit
This is the answer.
MBILC@reddit
Nuke it from orbit...
You can never 100% know, and no single tool can 100% protect you, why security is a layered approach.
There is always a risk acceptance. Some have the luxury of having spare systems on hand to swap out to said user, others do not.
A phishing email, depends what the payload was, was it simple data theft to collect login info? Or was it an info-stealer that had the user install something, or go to a site that required java to load a payload or something?
Question is then, what are you using for email protection that let said phishing email get past or not flag it?
jl9816@reddit
Yes. Nuke it.
If they clicked on phissing link the can wait for pc to be reimaged....
e358c878@reddit
This is beyond wrong. It's a fucking link. What shitty world do you live in that you're getting popped by 0day JavaScript breaking out of a Chrome sandbox?
You need to understand actual threats and threat models.
MBILC@reddit
Phishing can lead to info-stealers, no 0day needed (this goes down rabbit holes of why users have enough permissions to let things like this even run, but that's a whole other convo around security)
e358c878@reddit
You have no idea what you're talking about. Every comment you made is word salad.
Give an actual threat and an actual vulnerability, or shut the fuck up with your "info-stealer" nonsense.
babywhiz@reddit
You must be too young to remember a time when things were a lot more complicated.
e358c878@reddit
What the fuck does old vulnerabilities and threat models have to do with right now? Yes, things were worse. It's better now! Update your knowledge!
babywhiz@reddit
There is a great article in the Summer edition of 2600 “How the Mighty Have Fallen”. Good read, for everyone.
MBILC@reddit
So true... it is like C suites who see a score from Rapid7 that is high and think they are open to every attack in the world, so drop everything and patch!
Meanwhile said threat requires someone to physically be standing at the device, have X tool, a local admin account and be a half moon on the 3rd Tuesday of snowy night by someone with a name that starts with Q.
montarion@reddit
This. invalidate sessions, reset a password, and be done with it..
SinoKast@reddit
I agree, cost of doing business.
Competitive-Dog-4207@reddit
Do you guys just do a standard windows installation media reinstall and wipe everything?
SinoKast@reddit
Usually toss the hard drive, replace it and load an image. Sometimes toss the whole unit if it's old enough and image a more recent workstation.
e358c878@reddit
lmao, you do all of that for clicking a link? I suggest you learn some security basics
jl9816@reddit
User klicking on phissing links. Don't know what they downloaded and executed. The forensics to make sure it's safe vs time for reimage....
e358c878@reddit
Phishing is an attempt to gain credentials, not distribute malware. These are different threats with different controls.
You need to prevent users from installing random software from the internet. You don't need to nuke a machine because they clicked a link to a fake MS login page.
MBILC@reddit
Phishing can be used to do many things, phishing is used to delivery info-stealers, or just get people to enter in accounts/passwords/personal data. There is not set "Phishing is only used to collect creds via fake login sites"
https://flare.io/learn/resources/blog/redline-stealer-malware/
krazul88@reddit
@SinoKast, what happens to the drives you "toss" ??
SinoKast@reddit
We have a bin for such things that gets picked up yearly by a bonded ewaste company for destruction, among other electronics that have special disposal needs.
SinoKast@reddit
And yes, we have a key and the company has a key. Also always under surveillance. I work in the casino industry, highly regulated on that front.
Drew707@reddit
ie-sudoroot@reddit
And no internet access for a month except for some training access.
spaetzelspiff@reddit
Nuke the user from orbit, then deal with the device.
MBILC@reddit
I feel this method would solve more problems long term :D
imnotaero@reddit
If you nuke the computer of every person who reports having clicked a phishing email, you will discover that people will not report to you when they've clicked a phishing email.
When people self-report, you should thank them and bend over backwards to do everything to make the experience painless. The best way to do that is to have what you need in place to determine with acceptable confidence the intent of the attack and what was done.
Ensure you can collect evidence, and nuke the machine only if the evidence supports the approach. Be apologetic about it.
MBILC@reddit
Agree, you need to build the trust so people are open to reporting this, and be overly cautious. But for the companies that can, deploying a new device with EntraID should be painless and they literally log in and everything is sync and installed and done (pending what products they have)
Obviously not possible for all companies or all situations, but trying to get to that point where you could swap a users device and they basically do not even notice, how easy IT life would be right.
capetownboy@reddit
100000% this
SensitiveFirefly@reddit
This is the correct answer.
jam-and-Tea@reddit
Ug I hate this but you are so right.
krazul88@reddit
This is the intelligent approach to long term survival.
KindlyGetMeGiftCards@reddit
This is why we upgraded to Mac's, they are 100% hack proof, just ask any mac user, they will tell you, and keep telling you, then keep telling how awesome and secure it is.
We did have to increase the computer budget by 1,000,000% to accommodate the hardware changes and refresh after every apple announcement to reduce fomo.
Hmmmm, looking at the price of a new mac and a slightly used nuke, it maybe cheaper to go a nuke, well I'm off to the accounting department to crunch some numbers.
awit7317@reddit
Just watch out for those vegan Mac users that do CrossFit.
MBILC@reddit
and who cycle to work (on the road and not the bike lane)
KindlyGetMeGiftCards@reddit
Dang, you said the V word, now they are going to come out of the woodworks, you know because wood is better for the environmental footprint for numerous reasons, then they will proceed to tell you about the reasons, in detail.
MBILC@reddit
LOL! Sadly so many people believe the "Apple products are hack proof!"
Kuipyr@reddit
We've upgraded to carrier pigeons and haven't had an incident since.
jam-and-Tea@reddit
upgrading to clay tablets but now we don't have enough storage space.
Cmd-Line-Interface@reddit
Why would any org allow non-admin users installs? policy should be reviewed if so.
MBILC@reddit
Many orgs do, still to this day. Not every org has the tools in place to do proper App control / blocking / allowing.
You then do have departments, while it can be worked around, that can often require admin rights due to specific, poorly coded, apps they use which require Admin rights to run because they rely on system files (they should not)
There are def plenty of ways around this these days, just companies either do not want to spend the funds on those tools to license , or the skills to implement and manage it.
saturatie@reddit
No security tool can catch everything. Some will still slip through.
The-IT_MD@reddit
Commercial_Growth343@reddit
Clicking on a phishing email usually doesn't mean they were hacked. In most cases you have to actually type your password - that is the whole idea of a phish. So if the user did not do that, I would not panic. But I would look at the phish email, make sure I submitted it to my phishing filter provider. I would see if I can do anything else that might stop others from clicking on it, to help such as reporting the URL to Microsoft and Google. Your firewall vendor may also have a submission page for URL's. I might block the domain the phish came from. I might block the domain in the URL as well - depending on what it is.
GolfballDM@reddit
I wouldn't assume that the user is telling the truth about entering (or not) their credentials to a phishing site.
montarion@reddit
Do you not trust your users?
Maybe it helps that I've only worked at smaller companies
MBILC@reddit
Always assume the worse, end users are not always forward about things, how often have you heard "but I didnt change anything" when something stops working..
montarion@reddit
literally not once, guess I am lucky.
I have had people come to me with "hey I'm stupid and I dropped my laptop, on this corner, from this height. I got this laptop at that date, so I thiiiink I was due a replacement anyway?" (with their best smile)
This was while we were at a company outing, on a weekend where this employee was going to work extra so I doubt it was on purpose.
I've also had "hey this isn't working when I tried at [time], I already tried x, y, and z. Asked around to the last person who had this, so also tried x2. Anything else I could do?"
Gah I miss that job. The users were extremely well trained in 0th line troubleshooting.
MBILC@reddit
Definitely lucky, this could be because you have been able to foster a great relationship with your users (I had this way back in one of my first IT jobs). People are comfortable with you and have no issue being direct, but that is more an exception than the rule in most companies.
GolfballDM@reddit
If getting fired for a phishing phuckup is a possibility, then at most, trust but verify. Otherwise, assume their credentials are breached.
malikto44@reddit
There are degrees of interacting with a phishing email. The first is selecting to show pictures, which will ensure the phishing site knows the email address is valid, since someone clicked on it. Then a visit to the site, up to and including entering credentials. Even if credentials are not entered, tokens can be snarfed. At a previous MSP, I started using KnowB4, and what a user tells me they did with a phishing email is completely different than what the results were in some cases. For example a user telling me they "just clicked" on it, when the report shows they gave all their details.
Frothyleet@reddit
Technical advice aside, it's very concerning if you are a Jr at an employer of that size and there is not an explicit incident response plan for you to follow. Responding to security issues is not something that should be winged, or just figured out, even if you are very skilled.
ThimMerrilyn@reddit
Summary execution.
brye333@reddit
In addition to what others have said
Check their email rules, very common thing people miss. Do it from the web , desktop may doesn't always show all rules
Flabbergasted98@reddit
I'd usually have the user delete their browsing data, cookies and cache.
It keeps weird popups from showing up later on, and punishes them just enough for their actions that they might be more careful about it next time. Or just hide it from me, one of the two.
SinoKast@reddit
This is why managed security awareness it's worth it's eight in gold. I implemented MSA through Arctic Wolf and it's given me a lot of insights on who the problem employees are which then helps me train them.... as much as half the time it doesn't help.
BiddlyBongBong@reddit
Really enjoying Arctic Wolf as my cyber security platform. The concierge team for the MDR are fantastic
asedlfkh20h38fhl2k3f@reddit
What's their pricing like?
BiddlyBongBong@reddit
Depends on how many modules you opt in to and your total users (accounts) endpoints and servers
SinoKast@reddit
Yup, very hard to beat!
KairuConut@reddit
Fire them
teksean@reddit
Well, berating them should be top of the list. 😁
swedishhungover@reddit
Do not shame the user but make it a positive experience that they alerted you early and thanks to prompt action the user prevented disaster to happen (even if it may not be true). Hopefully the user will share its experience and make sure nobody tries to hide a potential phishing failures in the future.
mchetherington@reddit
To add to above, login to OWA and Outlook desktop and ensure no email rules have been applied that aren’t normal/expected.
NormalImpression219@reddit
Aaah finally.Was looking for this comment as I was about to post the same.
iamLisppy@reddit
Too slow, use the PowerShell cmdlets in this instead. Former Calendar Delegate still receives meeting notifications Yes this talks about calendar stuff but it shows you how to check for hidden rules and fwding rules as well and how to clear them out.
MadNax@reddit
I also purge any and all traces of the phishing e-mail from any mailbox it reached.
https://learn.microsoft.com/en-us/purview/ediscovery-search-for-and-delete-email-messages
therealyellowranger@reddit
Here's a PowerShell script that we use to help remediate accounts
O365-InvestigationTooling/RemediateBreachedAccount.ps1 at master · OfficeDev/O365-InvestigationTooling · GitHub
A bit dated but still relevant. Might need to modify and remove some sections such as the MFA and password complexity.
This_guy_works@reddit
A lot of it is context. What was the link that was clicked, and what did it do? Changing a password is always a good idea, but did the link ask for credentials? Did it look like it ran a program? Did it just go to a shitty fake website asking for money? Was the web browser hijacked?
Best thing to do is determine the potential risk, then take proper action. A full system scan is also good - check for any programs or processes that shouldn't be running. Check for any strange behavior. Verify it wasn't a phishing test email and that it was an actual malicious link.
fk067@reddit
First of all you r doing great work, even at an early stage of your career. Usually experienced admins or InfoSec’s peeps are supposed to create a what-to or how-to guide and provide it to Support/service/help desk teams. So that responses are unified and uniform. Secondly, it’s important to understand or gauge the purpose of the “phishing link”. Is it for credential harvesting? Which actually means that user clicks on the link n they are presented with a look alike page and are required to put their corporate or some other credentials into it.
Or is it an info stealer link that silently steals session cookies and logged in credentials of that user
Or is it a phishing link that downloads a malicious payload into the endpoint. Now there is an advanced persistent threat on the computer which can steal everything and even encrypt the computer.
Windows defender in full ATP mode is pretty good, specially if you have access to the backend of the system where you can see what actually happened in the endpoint for every nanosecond of activity. User clicked this like k, it launched a process, it redirect user to a new link, that downloaded something on the computer kind of detail can be seen from the backend of the Defender portal.
What you need to understand or to get is to find all the protections that are available on the endpoint, and then build yourself from up there. You may need to look into many tools or portals to figure this out. Also resetting user’s corporate password and resetting their active sessions is always a good thing. But what if this link was an info stealer? What if user’s banking creds are now gone or their personal email account creds are now gone? You see phishing links have different purposes. Also knowing how the user got the phishing link is sometimes important as well, e.g. did the phishing link arrive through corporate email? Or was it through personal email or was the link found on general browsing or social media forward etc. all these things play a role in hunting down phishing links and the actions that needs to be taken after a user clicks the link.
SldgeHammr@reddit
Tell them they've lost mouse privilege's and take it away. Tell them they'll get it back once they've learned their lesson.
coak3333@reddit
I was going to say, a quick karaoke chop to the back of the neck. Realising now that is too humane
cubic_sq@reddit
For us…
isolate user devices, pending fully wipe and rei stall
checklist of 43 items (current number)
disk image user device if required - then wipe and reinstall
We have found full wipe and reinstalls to be more effective in getting users to remember to not click….
Vinny376@reddit
Remote into their PC, make them think they're being hacked, make them afraid to click anything without reading.
DominusDraco@reddit
I dont care if they click on a phishing link, I care if they entered their credentials.
Isolating the endpoint is a waste of time, its a phishing attack, not a virus.
-Reset their password.
-Force sign out any sessions
-Check the registered MFA devices, the first thing they usually do is register their own MFA device to regain access later.
-Check no mail has been sent or forwarding has been set up.
JustifiedSimplicity@reddit
This plus:
If it was a large campaign and you have a solid SWG in play, run the url through a search to see if anyone else clicked the link and wash rinse repeat the first steps as needed with additional victims.
Or you know, nuke it, piss off the end-user, diminish the confidence of the business in IT’s ability to act rationally and pat yourself on the back for “keeping the business secure”
Awkward_Not_@reddit
This. I like to get the email myself during this too and do a quick 5 minute investigation to see if I need to go any further and bother with the machine (which is rare).
Run the eml for through phishtool and see what it picks up. Run the links through urlscan to verify what the user may have seen and/or did. Run attachments through joesandbox and see if it has any "malicious payloads" hidden in there.
But 90% of the time, it's just a fake Microsoft sign-in page or a pdf with a QR code in it.
e358c878@reddit
You are the only knowledgable person in here. It's wild the people living in the 90s that think they're getting popped by ActiveX RCE....
WheredMyMindGo@reddit
What everyone else said plus report it to HR. Their management needs to reinforce training or write ups.
DeadbeatHoneyBadger@reddit
Check inbox rules. Usually there’s something addd their when a user gets compromised
No_Resolution_9252@reddit
You seem to be focusing on the desktop instead of the damage. The damage malware does now, isn't so much on the endpoint, but on the loss of data/credentials/etc.
Cycl_ps@reddit
Don't forget to check for any new app registrations on the account. Attackers have been using email app connections to get some persistence on the account, creating mailbox backups and sending out email blasts to push the phish further. Do a search for PERFECTDATA and you should find some writeups on it.
LordFalconis@reddit
As MBLIC said, nuke it. Just went through this but on a phone. You do not know how buried the payload is or if it will self install again. Back in the early 2000 had a coworker whose son got a virus found one file like 12 folders down. Even after I thought I cleared it off, it reinstalled itself. Wiped machine and reinstalled windows than all was good.
Check your message logs for anomalies and check if any rules were created in the users account. When I did this I found a rule named "." which was hiding emails as part of the scam.
e358c878@reddit
Everything you said is nonsense. There is no "buried payload" executing in a sandboxed browser and infecting a machine, short of some unpatched RCE or unknown 0day. Which, if you have that, you're fucked anyway.
You need to update your knowledge past the year 2000.....
10gistic@reddit
I appreciate some voice of reason in here. There are some real r/masterhacker vibes in these responses. PhishMe et all are a major harm to real security IMO and their marketing is doing their best to convince people who don't know better that the threats from phishing outside a national security context are significantly worse than they really are.
vzeroplus@reddit
I would be more concerned that a 5k+ org doesn't have a defined process/toolset for this already.
hops_on_hops@reddit
Believe it or not, jail.
ShakeEnBake@reddit
They put the wrong password?
JAIL.
BlameDNS_@reddit
You take away their computer and give them a wooden computer instead. If they fall for another phishing email, take away the wooden computer and give them a rape whistle.
unavoidablefate@reddit
Don't forget the mandatory cyber security training enrollment.
Sensitive_Papaya_723@reddit
make sure to check in Outlook for any new rules like forward email and delete old email
godspeedfx@reddit
If endpoint security didn't flag anything, we just revoke login sessions, MFA sessions, require re-register MFA. We're passwordless so nothing to do with that. Investigate the email / user account for forwarding, evaluate if it went out to / was clicked by anyone else, and give them the same treatment. Investigating with Defender for 365 is pretty automated.
If endpoint security flagged something, isolate machine and investigate exposure, then re-evaluate after findings. If no other exposure, wipe and restore w/ Autopilot and have a nice day. If spread, order pizza for the team and buckle up.
If it's actually just "phishing" and not malware, they only want a session / MFA token so they can use the account for social engineering. If they don't use the account to spread the attack, a simple session / MFA revoke, MFA reset, and password reset if you use them is sufficient.
SmallBusinessITGuru@reddit
This should be something that the Sr. System Administrators researched and documented for you in accordance with your company policies, as set by the IT Director/Manager.
I will say that given that you're stepping up and taking it on yourself, keep researching and document what you do and send it up the chain. Use that initiative to push yourself into that Sr. System Administrator role, and then just keep on keeping on with the good work.
The_Zobe@reddit
Welp…
catherder9000@reddit
I assume Fortiguard and Fortinet SOC are on top of it, I also assume Vipre EDR+MDR is on top of it and between the two it's been mitigated out the yingyang. I then pat my cyber insurance on the wallet and carry on with my daily grind.
I don't get paid to give a fuck about user stupidity, that's for upper management to worry about. IT did our job, our leveraged services did their jobs, we wasted money with KnowBe4 for some reason and that user(s) took the training.
I am not that invested emotionally to care about things beyond my direct control. It comes with age I suppose.
Sir_Swaps_Alot@reddit
Isolate and shame.
primalsmoke@reddit
Suggest that a procedure be set up for future incidents.
A runbook needs to be created.
Suggest that a better effort start to educate everyone on security. Security starts with each employee.
Seems like you are reaching for solutions which is commendable, however security should concern everyone.
Virtual_Ordinary_119@reddit
Sever user head. Then format PC and give it to some sentient human being
elpollodiablox@reddit
Do this first. You might also want to disable his account while you get things under control.
You'll also want to check the rules in their mailbox, including client-only rules.
Next_Information_933@reddit
Generally I'll blacklist the endpoint in edr and then run a full scan. If they're a user on a shared computer that can move around easily I'll just wipe the mschine..
Vesalii@reddit
We went with MFA from "yeah... Whenever we find time" to "we need to deploy this in the coming weeks". A user getting phished was the wake up call we needed. We also have policies for who can log in and from where. Some users can only log in from within the network for example.
These are mitigation to set up thst vastly improve account security. Even if a user gets phished, it's likely from a far away country thst won't be able to do anything with the account.
torbar203@reddit
While MFA is definitely important to have, there's some phishing I've been seeing that will hijack the 365 session and bypass MFA. EvilNginx is the toolkit that it uses i believe
Vesalii@reddit
It's not perfect but it's a free upgrade to security that can stop or slow down at least part of the attacks when personal passwords get hijacked.
andpassword@reddit
...angry. I act angry.
PvtBaldrick@reddit
If this is a common issue then look at investing into a SOAR solution which will automate the response with a playbook.
You can also search for SOAR phishing playbooks online and look at the actions they do for your manual response...
actnjaxxon@reddit
At a minimum: * Reset all of that user’s session tokens * Rotate their password * scan all of the things
For the supper paranoid reset MFA if it isn’t a FIDO2 key or passkey.
kromedd@reddit
Also open outlook owa and check if any rules have been added.
Public_Cicada_6228@reddit
Revoke tokens, reset password.
Block the URL the user clicked on, including any redirect links to contain the phish. Block domain if necessary.
Depending on the phish, run a scan with whatever system you have.
Removing the network from the device isn't going to do anything if it's a run-of-the-mill phish.
patmorgan235@reddit
If you can nuke the workstation and reimage it.
You also want to check for any newly created inbox rules.
Sergeant_Fred_Colon@reddit
If the user has clicked on a dodgy link, then Barracuda safe link should pick it up and block it. If not, the web filter should pick it up and block it.
Accounts are behind 2fa and region lockouts.
In the unlikely event an account is actually compromised, check logs on Identity ect and reset the users accounts, make user go through reporting potential GDPR breach.
thortgot@reddit
Geo IP blocking only stops the absolute bottom barrel of criminal. Modern Evilnginx2 attacks incorporate proxy reflection that makes the connection come from your country.
Safe links will pick up known problem domains, if you are getting targeted they will generally craft a domain just for you.
contoso.com might have cont0so.com registered for a few months with legitimate traffic going back and forth to "validate" it as a real website. When the attack is ready to trigger after passing "new domain" thresholds, they will simply clone your website.
Using something like https://www.canarytokens.org/ to identify website clones will pick up more incidents then you expect.
The answer is to use phishing resistant creds.
Proof-Variation7005@reddit
Trimmed the fat out a little. Even still, I'd maybe cut this list down if the user clicked but never tried to log into anything.
That and just a quick refresher via email (pre-written) about what happened that gets sent over so they can't say "Nobody told me" later .
neko_whippet@reddit
im also in the burn the witch side :P
11524@reddit
Old yeller the user, step one.
Tools are in the locked shed out back.
joeytwobastards@reddit
Also check your web proxy and see what sites they tried to hit, and block if necessary
fieroloki@reddit
2fa?
3tek@reddit
The session tokens can get hijacked in the phishing site has EvilNginx running.
SilentSamurai@reddit
Ran through this more times than I care to remember: https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account