Hey #oss #security folks,
-
Someone is running a spear phishing attack against my tiny business, which feels unexpected given the size of my organization (just me).
Could you recommend some simple ways I can stop the attack? It involves extremely well-designed emails from various compromised email addresses that impersonate the SendGrid system and use very plausible messages.
My main concern is that this could evolve into something more sinister. I don't mind blocking all emails containing "SendGrid," but I would rather do something that could make those people move on and not come back.
Thanks so much!
-
Someone is running a spear phishing attack against my tiny business, which feels unexpected given the size of my organization (just me).
Could you recommend some simple ways I can stop the attack? It involves extremely well-designed emails from various compromised email addresses that impersonate the SendGrid system and use very plausible messages.
My main concern is that this could evolve into something more sinister. I don't mind blocking all emails containing "SendGrid," but I would rather do something that could make those people move on and not come back.
Thanks so much!
@analog_cafe oof - tbh, not sure if there was a specific "do this and they disappear" remedy, sorry. Things to harden your org however. Short run - make sure your EDR is clued in to the issue either via IOCs you can harvest from the phish, or if its a managed service letting them know. The 'sinister evolution' will likely take the shape of loading RATs on your endpoints (especially if you're passwordless), which seems to be next pivot when attackers cannot obtain credentials. Be cautious even with 'safe' tools that aren't specifically RATs like teamviewer, or screenconnect for example.
Other measures - alert on anomalous login. activity. What is anomalous depends on your org, but if its just you, then I would start by alerting on odd geographic logins from unexpected IPs/ASNs, novel UAs, even things outside of 'normal' business hours might be helpful. If you don't have that kind of telemetry then that's a good starting point. Also alerting on account changes; such as new forwarding rules is a great way to detect compromise
Blocking on known bad indicators such as sendgrid will stem the issue for a bit, but attackers pivot, so its a bit of whack-a-mole. But if you're small enough, and whack enough moles, the attackers leave for easier targets. Unfortunately - one compromise makes never going away worth it.
Likely you're already doing this, but strictly segregate and harden (MFA, alerting etc) your admin accounts from your user accounts - if attackers compromise your user account they won't get the keys to the whole kingdom.
That's simply the low hanging fruit, I am certainly more capable security folks will chime in, but hopefully this get you to a relatively safe place.
Hope this is helpful but otherwise good luck!
-
R relay@relay.infosec.exchange shared this topic
