Closed Captioning Closed captioning available on our YouTube channel

How to defend Office 365 from spear-phishing attacks

CSO Online | Jan 30, 2019

Configure Office 365 to detect email-delivered malware.

Copyright © 2019 IDG Communications, Inc.

Susan Bradley here for CSO Online. I wanted to bring to your attention something I spotted in recent Windows Defender advanced threat protection alert. They talked about a zero day flash that was used in a spear phishing attack. Adobe released a zero day patch for this on December 5th of 2018. The target attack was against a medical institution in Russia. The vulnerability titled up CV 2018 15982 had an interesting attack sequence. And it highlighted to me a number of mitigations that one should use to block such attacks. The attacks started with the spear phishing attack. As the site Knowb4 points out a whopping 91 percent of cyber attacks and resulting data breaches begin with a spear phishing email. Spear phishing e-mails are actually a targeted e-mail at a specific individual or department with an organization that appears to be from a trusted source. As a result it's very hard to defend. It's not impossible, but is hard to detect. So here's how this attack played out. Spear phishing email consisted of a rar archive file containing two files. The first was a lure document an enticing email and the second was an archive file just disguised as jpeg file. Once the user opened the document an active ex flashed control was activated. That ran a command script that unzipped the archive file and ran the payload. In this instance a scheduled task was created to start a backdoor whenever the user logged in. It collected vital system information and then uploaded that information to a hard coded command and control IP address server every five minutes.
The backdoor was set to be able to receive instructions that could be loaded into memory. There are several ways you can mitigate this attack as well as defend a little bit more and also review your your email account to see if has been compromised. Some of the more usual ways that you can determine if your account has been compromised is if you see suspicious activity. Other users in your environment receive emails from the compromised count. You see in box rules that you didn't set. The user display name might be changed. The user's mailbox is blocked from sending email. The sent folders contain common hacked account messages like I'm stuck here send money. There's been unusual profile changes unusual credential changes mere mail forwarding has been added. Again anything that just seems odd. Make sure you empower your end users to tell you of unusual events they see in their mailbox. Next you obviously want to patch for the exploit but again we can't always have patches available so we also need to know how and what things to do to protect. Just in case. For example on Windows 10 you can enable Windows Defender System guard and exploit protection capabilities in Windows 10. Next you can turn on cloud delivered protection and automatic sample submission in Windows Defender antivirus. This uses artificial intelligence and machine learning to identify new patterns. And of course you want to make sure your office ATP settings are available advanced threat protection.

You want to make sure the advanced threat protection safe links and advanced protect protection settings safe sends are set, You want to turn on attack surface reduction rules in Windows 10 to limit the executable activity. You may need to review if you're licensed and able to do this you will need Windows Defender ATP and require Windows 10 enterprise E5. Bottom line I want you to think about in terms of when you will be attacked. Not if you will be attacked. If you plan with that in mind you will be safer in the long run. So now before you were at risk. Think of all of the ways that you can harden your systems. Until next time. This is Susan Bradley for CSO Online insider.

Featured videos from