Chat with us, powered by LiveChat
Back to blog

The Google Phishing Scam: How to Protect Your Data (Part 2)

25 May 2017 by emma.robinson

Following from the last blog in this series, we’re now moving onto the worst-case scenario: your system has experienced a phishing attack and you’ve been compromised. Much like the Gmail phishing scam, hackers have targeted a cloud based productivity platform, this time, Office 365.
One day you receive a message from Director of Operations asking you to urgently read an important document attached. You’re busy with other work and weren’t expecting an email from them, but perhaps it’s a new contract or an important article relating to your work. Without thinking, you click on ‘info.doc,’ but before you can access the word document, you’re asked to download ‘Microsoft Silverlight’. You quickly realise that this email is vague, the sign off looks suspicious and this word document is not from who it says it’s from. It’s a phishing scam. You delete the email, and carry on with your work.
A few hours later, a nearby co-worker from HR sends a panicked email; they’ve fallen for the same phishing scam, but they have changed their password to defend their account. The so-called ‘Microsoft Silverlight’ download link was in fact a Visual Basic script file containing keylogging malware. Your co-worker has unwittingly given away their user details and password to an unknown hacker, and your Office 365 system is already under risk.
What do you do next? Let’s examine the two possible scenarios:

  1. The hack leads to a data breach and personal employee information is leaked; there is huge financial loss due to stolen intellectual property; the company’s reputation suffers, and customers and employees lose faith in the company’s security, with some even choosing to take legal action.
  2. The hack is stopped in its tracks before any information is stolen, and any subsequent hacks are detected and prevented through careful activity monitoring, and scheduled security reporting.

Even with security measures in place, it’s very easy to find yourself in the first scenario. The one that’s left with a huge mess to clean up, and a lot of people to answer to. Luckily, this time, you’re the second option. Your system is monitored and protected by Discover & Audit, which will help you track the digital footprint of your hacker, as they try to take as much valuable information as possible, or even hold it to ransom.

As an Admin, first you log in to Discover & Audit and inspect the Audit Log.

You can quickly see that your co-worker has accessed your system as normal in the past few hours. But after moving onto Azure AD Anomalous Activity Reports, a quick look at the ‘Sign ins after Multiple Failures Report’ and the ‘Irregular Sign in Activity Report’ show that there have been over twenty log-in attempts from your co-workers account, and their location has changed.

You see that the user is now logging in from Washington, instead of the company office in London. You decide to save this report, as proof of the attack.

Now that you’ve located your attacker, you immediately decide to safeguard any important documents your co-worker’s account may have access to. But suddenly, you get a flood of requests from your co-workers account, requesting admin access to important company documents.

You reject them, and quickly move to ‘File and Folder Operations,’ to see what documents the hacker could have tampered with.

Even though they don’t have IT admin privileges, you know that your co-worker’s account can access a variety of HR, Operations and Finance documents, all containing personal information of company employees. You find that the hacker has accessed a variety of documents relating to finance, but has not yet downloaded any confidential documents; you immediately block any further access, denying all privileges, and saving the report for your records. You also set up a daily scheduled report showing all ‘File and Folder Operations’, to ensure that all further actions will be monitored (in case anyone else falls for the same scam).
Your co-workers account has now been denied all access and privileges have been revoked to protect any important documents. Your environment has been secured, and you can begin to assess any damage, such as data loss, and analyse your security configurations to make any possible improvements, or add further preventative measures.
With the advancements of modern day technology, it’s no longer possible to neglect data security and safeguards will always need to be updated and invested in, whether they be technical, data, or ‘human’. Hackers usually use a mixture of social engineering and technical knowledge to trick users into giving away information, so your security strategy must encompass all aspects of your system. While fast and responsive technology will ensure a speedy response to attacks, employees who can spot abnormalities remain the best preventative measure for your Office 365 environment. This means that alongside intelligent, automated threat prevention technology, organisation-wide education should be a priority, and form a crucial part of your prevention strategy.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now