Gone Phishing

Posted on: July 7, 2017

The cyber criminals who make a living stealing valuable personal and financial information never take a holiday, and universities continue to present a massive target for credentials phishing.  As such, Information Technology Services (ITS) remains vigilant in our efforts to protect campus and stay one-step ahead of the bad guys.

While today we’re able to mitigate phishing attacks with defenses such as antispam appliances, accounts still become compromised on an occasional basis – and once compromised, attackers often use them to send additional phishing emails to recipients both inside and outside of the university. Working with the Information Security Office (ISO), we have identified several known behaviors which thus far have been 100% indicative of a compromised mailbox.  The problem to date is that we have had to respond to these alerts manually.  Our email team of Steve Walker, Don Nash, and Glen Martin has been working with Microsoft engineers and has identified some unique methods to automatically respond to these incidents, including:

  • Stopping the attack
    • Lock the compromised user account.
    • Invalidate the account’s login tokens to terminate active sessions.
  • Prevent it from spreading further
    • Identify internal phishing messages sent from the compromised account.
    • Preemptively delete these messages from mailboxes in our Office 365 tenant.

Over the next few weeks, we will begin to turn on this toolset and automate this process.  It has the potential to improve our security posture immeasurably and in a way which is totally transparent to our customers. So, while the criminals never take a day off, neither do our mail defenses!  The phishing will be pretty poor in these waters.