C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

Non-technical user mitigations

Technical mitigations

  • add URLs, IPs, etc. of malicious domains to firewall rules/IPS blacklists/router blackholes, etc.
  • use multi-factor authentication [use the last incident as incentive/motivation for implementing]
  • use email authentication with DNS: SPF and/or DKIM > DMARC (dmarc.org/overview/)
  • consider requiring remote users to access the mail server/website via VPN only [enforce on the server side]
  • alternatively use geo-fencing: only allow login to email/vpn/ssh services from expected countries/ip ranges
  • anti -malware,-spam,-phishing, etc. solutions
    • if letting through, take it up with vendor. If not resolved satisfactorily, change vendors – there are many solutions.
    • how can the filters be improved? Consider multi-layered approach + AI-backed (e.g. machine learning) – phishing emails are becoming more and more sophisticated (difficult to detect)
    • enable flagging of suspicious emails – e.g. passed the threshold but not with a clean score – allow through but notify user (pref. in subject)
    • support scanning of attachments
    • support previewing attachments (e.g. as an image)
  • kill switch to reset all user accounts
  • don’t email cleartext passwords. Use a secure system to store hashes. Use PGP/GPG to encrypt sensitive info that is emailed.

At user level / endpoints

  • use browsers containing anti-phishing measures – detection of fraudulent sites using a list of known phishing sites + clear warnings (e.g. banners/pop-ups to users)
  • use browser add-ins such as: RequestPolicy, Ghostery, DISCONNECT. and/or NoScript
  • use email client with built-in malicious email filtering, warnings, etc. (e.g. “this might be spam”)
  • disable macros by default (using group policy if possible)

Post attack

For MS Office 365 / Outlook specifically

University awareness examples

Further reading