Usually there will be a slew of incoming tickets indicating users who are reporting being sent phishing emails.
- If trend exists, setup Problem/ Incident structure in the ticketing system to track.
Have the user reporting the suspicious email forward it to email@example.com or look directly in the Barracuda cloud email security module. (listed on SSO)
Look either in the Message Log or Abuse Monitor in Barracuda cloud control.
- Email Security> Overview> Message Log
- Email Security> Outbound Settings> Abuse Monitor
Typically phishing emails will come from one person and go to multiple ppl, look for bulk emails.
Look for several things:
- The users affected- you will have to address them one by one later on, make a list!
- Any commonalities within the emails like subject, website, or filename.--> we will need this to setup content filtering to target and block these specific emails.
Identify the affected accounts by looking in the Barracuda Abuse Monitor
Scroll down on the page to view the abuse records.
Click on the IP address to open that specific report
Try to identify some commonalities:
- who is sending out mass emails
- the subject of the email
- any attachments
- Body Text of the email itself...etc.
It is crucial to identify these in order to stop the spread of the attack.
As you can see below, some emails are going to a single address, where others are going to multiple, those are the ones you want to focus on, specifically the sender of those emails.
Create a list of users that may be compromised based on this criteria. You will use this list in later steps.
Just because the email is being blocked by the firewall DOES NOT MEAN THE ACCOUNT IS NOT COMPROMISED!!!
Its time to setup Content Filtering.
2. Setup Content Filtering
Go to Outbound Settings> Content Policies.
Here is where you want to use those commonalities you identified in the phishing emails from earlier to set a content filter, which will:
- Target only the relevant emails
- Stop the spread of the attack to other accounts.
If the phishing emails were circulating a file baiting users to click on and provide their credentials, Target that file in all emails. You would do the same if that common factor was a specific subject or any other identifiable common criteria.
3. Dealing with Compromised Accounts
Now that you have a list of users that have been compromised there are a few things we need to do.
- Force Logout
- Reset their password
- Remove any rules that may be applied to BOTH the client and Server. (PS Script)
- Strongly suggest the compromised user starts using MFA.
If there are multiple user accounts compromised, repeat this process for all account. Do this process in entirety for each account identified and record the progress in the problem ticket.
3.1. Force Logout
From within the OneLogin Admin console, lookup and launch the user.
Under More Actions, select Force Logout.
3.2. Reset their password
While in the users One Login account, forceibly reset their password. Doesn't matter what password you choose as long as it meets the complexity requirements.
After you do this, the user will not be able to login, you will most likely get an email from them stating this. (scream alarm)
3.3. Remove any Server/Client email rules
This section involves running PowerShell Script, and if you are uncomfortable doing so...proceed with caution or have someone with the appropriate training and clearance do so.
Log into the server ADConnect.
Navigate to the PS Script on root C, and select Run with PowerShell.
You will be prompted to enter the User Principal Name (UPN).
UPN can be found in AD or in OneLogin
AD- lookup the user account and under the Account tab copy the value under User Logon Name, this includes the domain, EX: firstname.lastname@example.org
Or in OneLogin under the users profile in the username field.
3.4. Enroll in MFA
Multi-Factor Authentication (MFA) is a security system that verifies a user’s identity by requiring multiple credentials. Rather than just asking for a username and password, MFA requires other—additional—credentials, such as a code from the user’s smartphone, the answer to a security question, a fingerprint, or facial recognition.
Upon proof of breech it is reasonable to suggest the user get setup with MFA.
"I understand this was a huge inconvenience for you and I would like to offer you a more secure way of accessing your accounts with the hope of preventing this in the future. (speak about MFA generally using the intro above, explaining in basic terms).
If they are interested you can add them to the MFA POLICY TEST security policy in OneLogin.
- From within the users account in OneLogin, click the Authentication Tab
- Under User Security Policy, select MFA Policy Test.
- DON'T FORGET- have the user download and install the OneLogin Protect App from their devices respective app store.
- have the user login and scan the QR code to connect the MFA to the App.