Hello all,
I want to share my experience and lessons learned while dealing with a Phishing-as-a-Service (Greatness) platform targeted at Microsoft Office 365 users. During the last holiday season, I noticed an uptick in phishing emails, most of which were blocked or quarantined. However, a few bypassed these measures and were caught by periodic inbox scans done by Zero purge.
In response to the increasing attacks in January, I implemented several policy changes in Microsoft Defender for Office, which proved effective. These changes included adjusting phishing thresholds, modifying anti-spam and anti-malware policies, and enhancing safe attachment and URL protocols.
Regarding user education, I will utilize an email that initially entered a user's inbox but was subsequently caught by zero purge as an example. I'll capture a screenshot of the email and annotate all the telltale signs of a phishing attempt, then distribute this to all staff. I find these methods to be highly effective in educating users, rather than solely relying on simulated phishing emails. I intentionally limit the frequency of these communications to prevent alert fatigue.
Overall, these strategies have significantly mitigated phishing attacks, underlining the importance of proactive measures and continuous adaptation to evolving cyber threats.
Here are the policy changes I've implemented to address these significant threats, categorized under each menu section of Microsoft Defender. Utilizing the Microsoft 365 Defender portal consolidates all my security controls within its dashboard. Going forward, I'll abbreviate Microsoft Defender as (MD) and Microsoft Defender for Office as (MDO). Menu flow locations are shown as (MDO) > Email & Collaboration > Policies & Rules > Phishing Attacks:
Menus:
(MD) > Email & Collaboration > Policies & Rules > Phishing Attacks:
(Applied to all custom domains within my tenant)
Notes: Before December 2023, my Phishing threshold was set to 2. In February, I adjusted this setting to 3. Alongside the policies outlined in my email, this change has effectively mitigated the threats posed by the "Greatness Phishing Platform." I must acknowledge that this assessment is primarily anecdotal, based on my observations of the types of phishing emails caught, which closely align with the methods of this phishing platform and tactics documented in my investigation reports within the (MD) portal.
------------------------------
Joe Aldeguer
IT Director
Society of American Florists
Alexandria VA
(703) -836-8700
https://safnow.org------------------------------