Are you properly protecting yourself and your employees from phishing?
While there are many different ways that hackers can attempt to infiltrate an organization, one of the most popular is a phishing attack. Thankfully, Office 365 gives IT admins a number of ways to identify phishing attacks and address the situation as quickly as possible.
What is a phishing attack?
Phishing is simply the act of obtaining highly-sensitive information such as passwords, credit card information, usernames, and other personal information for malevolent reasons, by disguising an entity as a trustworthy organization via electronic communication.
How to determine the immediate impact of a phishing attack?
If you think an employee within your company has fallen victim to phishing, it’s important to act fast to mitigate damage. A few questions to ask the person involved:
- Did the user actually open a fraudulent email?
- Did the user open an attachment that was inside the email?
- Did the user click on a link within the fraudulent email?
- Did the user reply to the email?
- Did the user provide their credentials after clicking a link within the email?
- Did the user provide sensitive information to the hacker after clicking a link or replying to an email?
These are just a few of the questions that should be asked immediately after an Office 365 Admin determines a phishing attack may have occurred.
How to know if an employee has fallen victim to a phishing attack?
Not every report of a fraudulent email turns out to be a phishing attack. Take the following steps to identify phishing emails and act accordingly. Remember, you should never open attachments, images or links that are contained within potentially fraudulent emails.
Does the email look like a phishing email?
The three most common types of phishing emails that you’ll likely run across as an Office 365 Admin include:
- Display From attacks – This type of phishing occurs when someone sends an email from a free provider (Hotmail, Gmail, Yahoo) attempting to represent themselves as a CEO or other high-ranking management official using his or her personal email account.
- Spoofing – This is when the hacker sends an email that looks like it’s originating from your domain.
- Lookalike spoofing – When someone sends an email from a domain that looks very similar to your domain.
Does the email in question look like one of the ones listed above? If so, you may be a victim of phishing, and should react accordingly.
How to deal with accounts that have been compromised by phishing?
If you’ve confirmed that an employee has fallen victim, it’s now time to act quickly to reduce the damage.
Thankfully, Microsoft has released a PowerShell script which helps to quickly remediate an affected Office 365 user account and protect your company from further harm. This PowerShell script can be obtained from GitHub, and will perform the following actions:
- Resets the password and kills any active sessions
- Disables any mail-forwarding rules to external domains
- Removes any mailbox delegates
- Disables the global mail forwarding property on a specific mailbox
- Sets password complexity on the account to ‘high’
- Enables Multi-Factor Authentication
- Enables mailbox auditing
- Creates an Audit Log for the Office 365 Admin to review
While the above steps can be completed manually, it’s much easier to use the supplied RemediateBreachedAccount.ps1 PowerShell script.
Still have questions about phishing attacks?
If you’re still unsure of how to identify and mitigate phishing attacks, feel free to reach out to our team today. We look forward to helping you educate your employees about the very real dangers of phishing in the workplace.
Related blog posts
Get our updates straight to your inbox!
Sign up for our email updates to make sure you don't miss any of our new content.