They get more and more believable – I’m ashamed that I followed one of them few months back. Email was coming from my company’s HR and asked to provide feedback on my manager – and I had a lot of feedback. So I clicked the URL it took me to a page that basically demonstrated that our company SSO system failed again and I needed to enter my domain credentials…. Then I realized the page was outside of my company’s area of control.
I can say that for years I considered myself as experienced security expert and could easily spot spam emails – not anymore after such tragic failure.
Office 365 can be considered as main stream today. The product (or cloud offering) has extensive mechanism to protect end-users from different attacks. One item I looked this week was Advanced Treat Protection (ATP) safe links.
We got ATP safe links enabled few days back for my customer’s whole organization. Basically it wraps URL inside of a email message into a different URL pointing to Microsoft anti-malware filtering engine. In example if your original URL in the message is
then it will be replaced with something that looks like that
Now I’ll go through the short description of steps to deal with phishing attack that happened to one of my customers yesterday:
- Level III Support received a message forwarded by Helpdesk that they got from one of the users.
- safe links were just implemented and Helpdesk was concerned of unusually long URL. So we had them educated through the following URL
- However safe links have not blocked the address (as it wasn’t flagged as suspicious or known malicious). That took us to the wonderful phishing page inviting users to enter their AD credentials as “IT is performing a system upgrade”. The page was so plane that made it very believable
- First action we took is to block the phishing URL (not the safe link URL but the target) on firewall – it gave us some sense of easiness. Still a lot of users would be using they external access (laptops, mobile devices etc) and then their attempts to follow the URL will not be blocked
- Next we needed to see how many users received that email. Office 365 has set of PowerShell applets (new/start/get)-compliancesearch that allow to get count and list of users who received specific email based on subject and sender (I believe the search can be narrowed). In our case it was several hundred users who received such an email
- Additionally after receiving appropriate approvals we were able to remove the found phishing emails from users’ mailboxes using new-compliancesearchaction PowerShell command
- IT communication unit has created email that explained the attack and asked those affected users to change their password. We had the list of the recipients but didn’t know if URL was clicked and credentials are entered. In general it’s a good idea to ask your users to reset their passwords anyway
- Then reflecting on the event I thought that there should be a some way to track users who clicked on the URL. And after few minutes of digging – safe link URL tracking appeared in my search. The beauty of it that we can get list of users who clicked on URL inside and outside of corporate network. Despite users location the users being forwarded to Office 365 website first and even URL looks safe to Microsft the actions are being recorded anyway (see the screenshot)
- Last thing is besides company firewall the URL can be manually added to Office 365 and blocked globally through ATP safe links
To summarize – after first try ATP safe links mechanism has failed to detect malicious web-site URL and didn’t block it. Also complex safe link generated URLs confused users. However with Office 365 ATP controls and ability to do compliance search and apply actions (such as phishing email removing from Exchange system) – you can a lot of tools under your fingers to help fighting attacks and investigate consequences.