We recently shared a series of blog posts on protecting your network from phishing attacks specific to Impersonation Protection. We’d now like to spotlight incidents experienced by BTS clients, actions taken, and what precautions could help avoid such risks in the future. We share the first such case below:
The Scenario
BTS had just onboarded a new client, when we learned that they had received an email from a legitimate sender, with the subject line “[Sender] has shared ‘Past Due Inv’ with you”. Innocently, the employee opened the message and clicked on a link. The employee noted that no new window opened, although something kept asking for a code. Our client closed the message with no further interaction.
The Response
To cut off unauthorized access, the BTS team immediately disabled the employee’s account and revoked all open sessions in Microsoft 365 and the local network. We reset both the employee’s internal domain account and passwords. BTS found that the compromise created an app called “test” in the Microsoft 365 portal and assigned an administrative role to the hacker. The “test” app might have been an attempt to establish a backdoor within the environment. This would allow the attacker to return later or to exfiltrate data. The culprit might have been exploring the network environment to find valuable resources or sensitive data. We concluded that they used a session hijacking technique to gain access. The attacker’s access was effectively terminated by deleting the malicious “test” app and the illegitimate role that had been assigned. Burgess was able to deem the threat fully mitigated with no additional issues.
Protecting Your Network
It’s important to consider how this situation might have been avoided. A Managed Detection and Response (MDR) protocol would alert network admins to malicious activities in Microsoft 365. There would be an alert for installation of the errant application, and possibly when the account was compromised. (Based on sign-in location and methods explained in our previous blog post on MDR.) Additionally, a security awareness training program can help train staff to identify suspicious emails and to avoid clicking links in unexpected emails.
It is important to have a plan in place including checklists and an experienced team-based response to quickly review and mitigate compromised accounts. Each of these recommendations are key to protecting your network.
Do you feel confident in your network security protocols? Chat with one of our account managers for help assessing risk, vulnerabilities and solutions tailored to your organization’s specific needs.
Reader Interactions