
MOREnet Security has seen an increase in the number of successful email phishes and to help districts mitigate, we’ve put together the following information.
A staff member reports that people in their contact list are stating they received a malicious email from them. The email came from a valid email account and therefore, email didn’t flag it. Below is a general guideline you can review to mitigate the situation. As every situation is unique, the order you utilize these may be different. Becoming familiar with your email solution capabilities before a situation occurs is advisable.
- Deactivate their user account if the situation warrants this action.
- Obtain information on who it was forwarded to before deactivating.
- Quarantine the user’s incoming email. (Deactivating step 1 prevents outgoing email from being delivered.)
- Quarantine incoming and outgoing for all recipients of the phish in your domain.
- Determine what email compromised their account. What have they clicked on recently that didn’t behave as they expected?
- What device were they using when they opened the malicious email?
- Scan for malware.
- Determine when it started and what was accessed by researching logs.
- If assistance is needed, please send the email headers and forward a copy of the phish to security@more.net and we will sandbox the email.
- Notify any outside domain recipients.
- Disable users’ accounts that have activated the phish.
- Force password reset on potentially affected accounts.
- Reimage affected devices(s).
- If email was opened on personal phone, they should take their phone to their carrier for mitigation. Their apps and MFA can be compromised.
Google/Education Plus Instructions: Using the investigation tool
Other Considerations
If this is a spoofed email, do you have DMARC, DKIM, and SPF configured? Email Spoofing
What other files/data could have been accessed?
Was the password manager compromised?
Ongoing user training is a key component to help mitigate phishing attempts as hackers are becoming more sophisticated.
Contact MOREnet Security if you have any questions or need assistance! security@more.net