Guy who took home $40 million in gold bars from CIA office supply closet is criminally charged with padding his resume.

@mattblaze @CStamp "Gold bars?! No, no, no, I said protein bars! We need protein bars. The ones we keep in the staff kitchen. Where did you even get these?"

@analog_cafe oof - tbh, not sure if there was a specific "do this and they disappear" remedy, sorry. Things to harden your org however. Short run - make sure your EDR is clued in to the issue either via IOCs you can harvest from the phish, or if its a managed service letting them know. The 'sinister evolution' will likely take the shape of loading RATs on your endpoints (especially if you're passwordless), which seems to be next pivot when attackers cannot obtain credentials. Be cautious even with 'safe' tools that aren't specifically RATs like teamviewer, or screenconnect for example.

Other measures - alert on anomalous login. activity. What is anomalous depends on your org, but if its just you, then I would start by alerting on odd geographic logins from unexpected IPs/ASNs, novel UAs, even things outside of 'normal' business hours might be helpful. If you don't have that kind of telemetry then that's a good starting point. Also alerting on account changes; such as new forwarding rules is a great way to detect compromise

Blocking on known bad indicators such as sendgrid will stem the issue for a bit, but attackers pivot, so its a bit of whack-a-mole. But if you're small enough, and whack enough moles, the attackers leave for easier targets. Unfortunately - one compromise makes never going away worth it.

Likely you're already doing this, but strictly segregate and harden (MFA, alerting etc) your admin accounts from your user accounts - if attackers compromise your user account they won't get the keys to the whole kingdom.

That's simply the low hanging fruit, I am certainly more capable security folks will chime in, but hopefully this get you to a relatively safe place.

Hope this is helpful but otherwise good luck!

@wendynather Found it! You might be in luck

PARENT CODE 63 — UNIFORM PARENT GUIDE
§ 45(g)(7)(B)(iv) — Gratitude Requirements Pertaining to Chocolate Conveyance

Promulgated pursuant to the General Authority vested in Parents, Guardians, and Other Responsible Adults under the Domestic Provisions Act, as amended.

WHEREAS, the Transporting Party (hereinafter "Parent," "Guardian," or "The One Who Paid For It") has undertaken, at their sole expense and inconvenience, the procurement and conveyance of one (1) or more chocolate-based confectionery products (hereinafter "the Goods") for the exclusive use, enjoyment, and consumption of the Minor Beneficiary or Beneficiaries (hereinafter "the Child," "the Children," or "You Know Who You Are");
NOW THEREFORE, it is hereby established, codified, and decreed that any verbal, written, gestural, or otherwise communicated expression by the Minor Beneficiary or Beneficiaries that fails to rise to the standard of genuine, demonstrable, and enthusiastic gratitude — including but not limited to: sulking, shrugging, the utterance of "I wanted the other kind," or any facial expression deemed by the Transporting Party to constitute ingratitude — shall constitute a Class I Violation of Chocolate Receipt Conduct (hereinafter "the Offense").
§ 45(g)(7)(B)(iv)(I) — Remedies and Enforcement

Upon a finding of the Offense, the Transporting Party shall be empowered to impose, at their sole and unreviewable discretion, one or more of the following corrective measures:

(a) Full or partial submersion of the offending Minor Beneficiary in a vessel of molten chocolate of no less than milk-chocolate grade;

(b) The direct and thorough application of said molten chocolate upon the person of the offender, such application to continue until complete coverage is achieved to the satisfaction of the Transporting Party; or

(c) Such other chocolate-related consequences as the Transporting Party deems proportionate, equitable, and sufficiently dramatic to make a point.

§ 45(g)(7)(B)(iv)(II) — Waiver of Defense
The Minor Beneficiary expressly waives the following defenses: (i) "I said thank you in my head," (ii) "It was the wrong brand," and (iii) "I was going to say thank you." No such waiver shall be considered valid unless submitted in writing, notarized, and accompanied by a hug.