Security

  • 1.  Phishing as a service

    Posted Feb 08, 2024 01:41 PM

    Hello all,

    I want to share my experience and lessons learned while dealing with a Phishing-as-a-Service (Greatness) platform targeted at Microsoft Office 365 users. During the last holiday season, I noticed an uptick in phishing emails, most of which were blocked or quarantined. However, a few bypassed these measures and were caught by periodic inbox scans done by Zero purge.

    In response to the increasing attacks in January, I implemented several policy changes in Microsoft Defender for Office, which proved effective. These changes included adjusting phishing thresholds, modifying anti-spam and anti-malware policies, and enhancing safe attachment and URL protocols.

    Regarding user education, I will utilize an email that initially entered a user's inbox but was subsequently caught by zero purge as an example. I'll capture a screenshot of the email and annotate all the telltale signs of a phishing attempt, then distribute this to all staff. I find these methods to be highly effective in educating users, rather than solely relying on simulated phishing emails. I intentionally limit the frequency of these communications to prevent alert fatigue.

    Overall, these strategies have significantly mitigated phishing attacks, underlining the importance of proactive measures and continuous adaptation to evolving cyber threats.

    Here are the policy changes I've implemented to address these significant threats, categorized under each menu section of Microsoft Defender. Utilizing the Microsoft 365 Defender portal consolidates all my security controls within its dashboard. Going forward, I'll abbreviate Microsoft Defender as (MD) and Microsoft Defender for Office as (MDO).  Menu flow locations are shown as (MDO) > Email & Collaboration > Policies & Rules > Phishing Attacks:

    Menus:

    (MD) > Email & Collaboration > Policies & Rules > Phishing Attacks:

    (Applied to all custom domains within my tenant)

    Notes: Before December 2023, my Phishing threshold was set to 2. In February, I adjusted this setting to 3. Alongside the policies outlined in my email, this change has effectively mitigated the threats posed by the "Greatness Phishing Platform." I must acknowledge that this assessment is primarily anecdotal, based on my observations of the types of phishing emails caught, which closely align with the methods of this phishing platform and tactics documented in my investigation reports within the (MD) portal.

    (MD) > Email & Collaboration > Policies & Rules > Anti-spam Inbound

    Notes: I have configured these settings to tag emails originating from countries with which we do not conduct business as spam. Additionally, emails containing language commonly used within these blocked countries will also be tagged as spam.

    (MD) > Email & Collaboration > Policies & Rules > Anti-malware

    Notes: I've observed that many phishing emails, that are blocked, often contain .htm or .html extensions. This is a tactic commonly employed by the Greatness phishing platform. Cybercriminals embed attachments disguised as links or barcodes, which, when clicked or scanned, redirect unsuspecting users to a malicious website designed to mimic an Office 365 login page. Although initially, adding these extensions here wasn't as effective as blocking them under Exchange > Mail flow > rules, I found that incorporating these rules here, effectively blocked emails containing such attachments. Since most of my users rarely require this type of attachment in their daily workflow, you can decide for yourself whether to block it or not.

    (MD) > Email & Collaboration > Policies & Rules > Safe Attachments

    Notes: I highly appreciate the dynamic delivery feature for all attachments, wherein MDO detonates them in a virtual environment before reattaching them to the email. This approach has proven highly effective in blocking malware attachments, particularly those disguised as zip or PDF files. Users may experience a slight inconvenience as they wait for their attachment to appear in the original email, which typically takes about a minute or less to reattach. However, the inconvenience is justified by the security measure, especially considering the significant risks to the organization if a malware attachment were to be activated.

    (MD) > Email & Collaboration > Policies & Rules > Safe Links

    Notes: This feature provides another effective control to mitigate unsafe links embedded in emails. When enabled, it checks and blocks all malicious URLs within emails, while also tracking which URLs were clicked and by whom.

    Priority account protection is enabled by default for by MDO for high-value targets, typically comprising members of the executive team, finance, and HR, within MD portal. You will need to manually add users to this protection.

    Note: By employing this feature, you leverage Microsoft's machine learning, which has been trained on billions of signals collected from their extensive pool of Office 365 users.

    To configure:

    Settings > Email & Collaboration > User Tags > Create a User Tag.

    For instance, I created a tag named "Priority Account" and included my high-value assets within it.

    https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection?view=o365-worldwide

    Training the Machine Learning:

    I also dedicate time to classifying the automated alerts I receive, distinguishing whether they are phishing alerts according to Microsoft's classification. This effort contributes to training the AI model as more individuals within the Office 365 platform contribute to improving the accuracy of the AI. This process is conducted within:

    (MD) > Incidents and Alerts

    After implementing all the above adjustments, I frequently check reports under the following sections of Microsoft Defender for Office:

    (MD) > Email & Collaboration > Explorer: To observe trends regarding the types of phishing emails being blocked.

    (MD) > Email & Collaboration > Review: To examine any emails that have been quarantined for potential false positives that need to be released.

    Managing MD & MDO:

    What I've learned:

    Based on my personal experience, I've encountered threats targeted against my organization. Cybercriminals often manipulate email properties, such as adding our domain to the sender's from or subject information. For instance:

    From: Safnow, but a different sender address is displayed since they can't spoof our domain due to authentication protocols like SPF, DKIM, and DMARC.

    Subject: Safnow HR

    My users are trained to recognize these phishing indicators, which should trigger caution whenever they encounter such emails.

    Additionally, I've implemented mail flow rules in Exchange (EOP) to block these threats, based on the text used within the from and subject lines.

    I rely solely on Microsoft Defender for Office (MDO) and Microsoft Defender to combat these threats. In my humble opinion, when configured correctly, these platforms are highly effective in mitigating such risks. Before using MDO, I had to manually review each policy to understand its purpose. Now, Microsoft provides templates that organizations can apply wholesale, simplifying the process of enhancing email security.

    According to the Verizon Data Breach Report, email remains the preferred and one of the most effective threat vectors utilized by cybercriminals against organizations. The battle against cyber threats is ongoing, prompting me to continually monitor for new attack vectors. I use each encounter as an opportunity to refine my defenses and stay informed about evolving tactics employed by cybercriminals. I'm aware that if a state-sponsored threat actor were to compromise the underlying Office 365 platform, it could be catastrophic for my organization. Nevertheless, I remain vigilant.

    Please share your proven tactics to further strengthen our collective Office 365 defenses.

    Best,



    ------------------------------
    Joe Aldeguer
    IT Director
    Society of American Florists
    Alexandria VA
    (703) -836-8700
    https://safnow.org
    ------------------------------
    Annual Meeting 2024


Related Content