Mitigating a Successful Phish

Computer screen with phishing hooks

MOREnet Security has seen an increase in the number of successful email phishes and to help districts mitigate, we’ve put together the following information.

A staff member reports that people in their contact list are stating they received a malicious email from them. The email came from a valid email account and therefore, email didn’t flag it.  Below is a general guideline you can review to mitigate the situation.  As every situation is unique, the order you utilize these may be different.  Becoming familiar with your email solution capabilities before a situation occurs is advisable.  

  1. Deactivate their user account if the situation warrants this action.
    1. Obtain information on who it was forwarded to before deactivating.
  2. Quarantine the user’s incoming email. (Deactivating step 1 prevents outgoing email from being delivered.) 
  3. Quarantine incoming and outgoing for all recipients of the phish in your domain.
  4. Determine what email compromised their account.  What have they clicked on recently that didn’t behave as they expected?
  5. What device were they using when they opened the malicious email?
  6. Scan for malware.
  7. Determine when it started and what was accessed by researching logs.
  8. If assistance is needed, please send the email headers and forward a copy of the phish to security@more.net and we will sandbox the email.
  9. Notify any outside domain recipients.
  10. Disable users’ accounts that have activated the phish.
  11. Force password reset on potentially affected accounts.
  12. Reimage affected devices(s).
  13. If email was opened on personal phone, they should take their phone to their carrier for mitigation.  Their apps and MFA can be compromised.

Google/Education Plus Instructions:  Using the investigation tool

Gmail Quarantine

Other Considerations

If this is a spoofed email, do you have DMARC, DKIM, and SPF configured? Email Spoofing

What other files/data could have been accessed?

Was the password manager compromised?

Ongoing user training is a key component to help mitigate phishing attempts as hackers are becoming more sophisticated.

Contact MOREnet Security if you have any questions or need assistance! security@more.net