In today’s digital landscape, cyber attacks have become a persistent threat, targeting individuals and organizations alike. The recent high-profile attacks on companies like M&S and Coop have highlighted the devastating impact these breaches can have. I want to share a real-life incident we recently experienced to underscore the dangers of phishing and the critical importance of taking cybersecurity seriously.

A Close Call: Our Recent Phishing Incident

In the last few days, our organization faced a sophisticated phishing attack that resulted in a confirmed account compromise. The attacker managed to gain unauthorized access to one of our user accounts, leading to a series of suspicious activities. Here’s a brief overview of what happened:

• The attacker first gained access through a phishing attempt, tricking the user into providing their login details, including their multi-factor authentication (MFA) code.
• The attacker then used these credentials to sign in from unusual locations, including the Netherlands and Australia, shortly after a legitimate sign-in from the UK.
• They attempted to change security settings to establish long-term access and even tried to access PerfectData software, a tool commonly associated with mailbox exfiltration.

This incident was a stark reminder of how quickly and easily a phishing attack can compromise an account and potentially lead to data theft.

The Role of MFA and the Swiss Cheese Model

We have MFA enforced for all users, which is widely recognized as one of the best lines of defense against unauthorized access. However, this method of phishing involved the attacker waiting for the user to enter their MFA code and then immediately using it to access our systems. This highlights that while MFA is a crucial security measure, it is not infallible. This scenario exemplifies the “Swiss cheese model” of security, where multiple layers of defense are in place, but each layer has potential weaknesses that can be exploited if they align.

The Broader Context: Recent High-Profile Attacks

Our experience is not unique. Recently, major companies like M&S and Coop have also fallen victim to cyber attacks, causing significant disruptions and financial losses. These incidents serve as a wake-up call for all organizations to prioritize cybersecurity and implement robust measures to protect their digital assets.

Taking Cybersecurity Seriously

In response to the phishing attack, we are taking several steps to mitigate the impact and prevent future occurrences:

• Forensics Investigation: We are conducting a thorough investigation to determine what data was exfiltrated. This forensic report will incur costs, but it’s worth the expense to find out how compromised we were.
• Mailbox Cleanup: We are deleting any malicious items from all mailboxes and blocking the sender domain.
• Conditional Access Policies: We are adding policies to block access from locations outside the UK.
• Device Replacement: We are replacing the compromised user’s devices as they may have been infected with malware or other harmful software.

Ongoing Security and Hardening Projects

To further enhance our security posture, we are actively working on several projects:

• Microsoft 365 E5 Upgrade: One of the key measures that helped detect this incident was our recent upgrade to Microsoft 365 E5, which includes an advanced security toolset.
• FortiEDR and FortiGate Firewalls: We are implementing FortiEDR and FortiGate firewalls to provide enhanced endpoint detection and response, as well as robust network security.
• FortiSASE Investigation: We are also investigating the implementation of FortiSASE to further strengthen our security infrastructure.

Through our investigation, we found several other users who had been targeted and blocked them. One of these users had also input their details, and we have run forensics to check if they have been compromised. I also sent a company-wide email to all users explaining the situation and asking everyone to heighten their vigilance.

Conclusion

Phishing attacks and other cyber threats pose a significant risk to both individuals and organizations. The recent high-profile attacks and our own experience underscore the importance of vigilance and robust security measures. By sharing this real-life example, we hope to raise awareness about the dangers of phishing and encourage everyone to take proactive steps to protect their digital assets.

Stay safe and stay vigilant!