Pratum Blog

Phishing attack via a text or SMS message.

When people think about social engineering in 2018, the two most popular forms that come to mind are email phishing and pretexting phone calls. For years, individuals have been on the receiving end of targeted and widespread social engineering campaigns, primarily through the two vectors described above. However, social engineers are constantly changing their tactics and looking into new ways to solicit information from people. A third category of social engineering that is quickly gaining popularity is phishing through SMS text messages, or SMiShing for short. This attack vector is increasingly dangerous because text messaging is so personal; we are more apt to respond to and trust a text message, even if it is from a random number, than we are to open a suspicious looking email.

My Recent Experience with an SMS Message Phishing Attack

Recently, I received a text message from an unknown number containing my full name and asking the simple question of “how are you?”. Well, this is quite an interesting text message to receive, especially since it contained my full legal name. Already a little suspicious, I responded with “Hello, who is this?” to validate that it wasn’t someone I recently met. The conversation that ensued between myself and a “Mr. A Morgan” was very clearly an engagement with a social engineer. Not a bot, but a real human. I knew and understood immediately that this text message was not legitimate, but I proceeded with the conversation to accomplish a few objectives: consume this person’s time from targeting other individuals and learn how social engineers are trying to steal money/information in 2018 via this avenue of communication.

SMS Text Message Phishing - SMiShing
Image: Screenshot of actual SMS Message Phishing Attack sent to Matthew McGill's phone.

Keep an Eye Out for These SMiShing Tactics

Social engineers will use many tactics to try and coerce information out of us, attempting to catch our eye through tempting offers or the use of fear. The following points are a series of tactics that social engineers may employ to obtain such information.

  • Social engineers know how people work and operate, so they very clearly and intentionally craft attacks to play on some of our biggest psychological fears and wants. They also understand that not everyone will “buy into” their scheme, so they tend to stay broad in their language. Avoid ambiguous texts that fail to mention specific locations, organizations, websites, names, etc.
  • Mention of Western Union. For whatever reason, payments through Western Union tend to be the most popular form of money transfer in such attacks. If a text message says to “wire money” via Western Union, this should cause you to raise an eyebrow.
  • Never click on links or navigate to unknown websites as prompted by an attacker. Websites pose a much greater risk to you and your personal information.

Response to SMiShing and Other Forms of Social Engineering

How are we to respond if we feel like we’ve received a suspicious text message, phone call, or email? Here a just a few ways to respond to such attacks, including actionable steps to lower your risk and ensure personal, private information is never leaked.

  • Responding to an SMS message does not inherently put you at risk. However, this is to be avoided at all costs; the less conversation that is sent back and forth, the less likely you will fall into some sort of trap.
  • If you are ever suspicious about a text message you receive, block the number immediately. There are websites and online tools, such as the FTC Complaint Assistant ( https://www.ftccomplaintassistant.gov/#crnt&panel1-1 ) website, that allows you to report unwanted and unwarranted phone numbers.
  • Always attempt to validate the identity of the individual you are communicating with. No financial institution or software company will ever contact you and request information. It never hurts to ask further questions about who you are speaking with. Never give out personal or digital information unless identity has been established.

Conclusion

Social engineering is nothing new, and yet it continues to be one of the most attempted and successful ways attackers obtain information. It is important to stay alert to these attacks and their evolution in an ever-increasing digital age. Knowing the risks associated with personal forms of communication can help you stay ahead of the curve and avoid leakage of proprietary business intelligence. It is very important to take a proactive, risk-based approach to social engineering and the various phishing attack vectors. Pratum offers a suite of services ranging from security awareness training to the actual execution of ethical social engineering campaigns to address these concerns and help your organization mitigate its overall risk.

Contact Pratum
Secure Iowa Conference 2018 Keynote Speaker Tony Sager

Iowa’s Largest Information Security Conference Announces Tony Sager as Keynote Speaker

Date: Tuesday, October 9, 2018

Location: FFA Enrichment Center, 1055 SW Prairie Trail Parkway, Ankeny, Iowa 50023

Secure Iowa Conference, the annual Iowa-based information security conference hosted by ISSA Des Moines and presented by Pratum, announces Tony Sager – retired National Security Agency (NSA) Information Assurance professional and current Senior Vice President and Chief Evangelist for the Center for Internet Security - as keynote presenter for its October 9th event.

In his keynote presentation Making Best Practice Common Practice: the CIS Controls, Sager will discuss how the vast majority of cyber problems that plague us today could have been prevented by actions, technologies and policies that are already known or currently exist in the marketplace.

Sager says, “The challenge is that you can’t find those “best practices” on your own to learn from them. Or just as likely, you are overwhelmed by the “Fog of More” - competing expert opinions, vendor claims, and overwhelming regulatory or compliance requirements.”

In this talk, Tony will walk through the CIS response to this challenge - the CIS Critical Security Controls. We’ll show how a broad community comes together to understand threats, translate them into action, and sustain an ecosystem of volunteers, tools, vendors, working aids, and information to help us all improve our cybersecurity.

Secure Iowa Sessions

Tony Sager will kickoff the event, but he is only the beginning of an exciting day filled with continuing education in the areas of information security, IT risk management, compliance and privacy. The following is a list of session tracks, which will feature various speakers throughout the day. Attendees may attend any of the presentations. Selecting a track is not necessary… the tracks are simply created to help guide attendees in their selection process.

SESSION TRACKS
  • Application and Infrastructure Security
  • Security Testing and Investigation
  • IT Risk Management and Audit

This a unique opportunity for security, privacy and audit professionals in Iowa to gather for a time of education and networking. For more information, visit SecureIowaConference.com.

Register for FREE

Microsoft Office 365 Security Best Practices and Recommendations

Introduction

Organizations that leverage Microsoft 365’s default settings are at risk. The default configuration provides insufficient audit settings and security protection for most organizations. For instance, in recent months Business Email Compromise has been on the rise specifically targeting users within Exchange 365. If a successful compromise occurs the general audit settings are configured to record very little data that can be used within a forensic investigation. Pratum highly recommends the following guide be reviewed and adhered to as needed.

Enable Audit Logging

Event data containing critical information; such as user and system activity, changes, authentication details, etc.; is extremely important to have captured log data to detect threats, especially when performing an investigation. An administrator must manually enable the “Office 365 audit log search.” This feature may record user and admin activity for 90 days; however, it is best to validate which retention settings are configured based on licensing/configuration. This data can typically and should be piped to a security information and event management (SIEM) solution for additional monitoring and correlation.

Reference: Enabling Audit Logging

Use the Security & Compliance Center to turn on audit log search
  • In the Security & Compliance Center, go to Search & investigation > Audit log search.
  • Click Start recording user and admin activities.
Enabling auditing via Powershell
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Validate whether auditing is enabled/disabled via Powershell
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

Enable Mailbox Auditing

In Office 365, administrators should enable mailbox audit logging to record mailbox access activity. By default, mailbox auditing is disabled. If a security incident occurs, there may be very little data if any regarding an attacker’s activity. However, once audit logging is enabled, the audit log can be searched for mailbox activity. Additionally, when mailbox audit logging is turned on, some actions performed by administrators, delegates, and owners are logged by default. It is recommended to enable at a minimum the default logs as well as the referenced commands below; however, each organization should determine what logging level is needed.

Reference: Enabling Mailbox Auditing, Mailbox Auditing Actions

Enabling auditing via Powershell for all user mailboxes in your organization
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
Increasing audit levels via Powershell for all user mailboxes in your organization
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditOwner @{Add="MailboxLogin","HardDelete","SoftDelete","MoveToDeletedItems"}
Validate whether auditing is enabled/disabled via Powershell
A value of True for the AuditEnabled property verifies that mailbox audit logging is enabled.
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | FL Name,Audit*

Enable and Enforce Multi-Factor Authentication

Pratum highly recommends the use of multi-factor authentication. User accounts are compromised daily resulting in the increased risk to losing control of key data and information. Business email compromise and credential harvesting attacks are a constant threat to an organization. One of the best security defenses to thwart this loss is requiring users to use multi-factor authentication (MFA) to access key systems, such as email and file sharing. MFA can significantly decrease the success of an attacker tactics even when they compromise the user’s password, as they would also need to compromise the additional factor. These additional factors can be in many forms, such as a hard token or an application on a smart device. There exist multiple methods and solutions for multi-factor authentication for Microsoft 365, and the configuration options will vary depending on licensing. Azure, Intune, and Enterprise Mobile Device Management plans offer additional capabilities when deploying or enforcing this security feature.

Reference: Enabling Azure Multi-factor Authentication, Requiring MFA for Intune Enrollment

Conditional Access Policies

Administrators can review and enforce additional restrictions or relax certain policies such as multi-factor authentication requirements when users are accessing resources from a trusted location or compliant device. These scenarios increase the likelihood the user accessing the resource is trusted and therefore decrease the security requirements needed to authorize the user. This feature works very well to find the right balance between security and convenience. Furthermore, restricting access from locations and devices that employees should never be logging in from can also be enforced and alerted against. An Azure AD Premium license is required for use of conditional access policies.

Reference: Configuring Conditional Access Policies, Azure AD License Comparison

Mobile Device Management

Mobile device management (MDM) should be reviewed and understood by each organization. Ensuring the proper policies are defined and agreements are in place for employees of the business. Exchange Administration can be configured to define policies on which devices/users can communicate with the email servers. Policies to enforce compliance to company policies such as device encryption should be enabled as well as which devices can connect. For additional features and control, plans can be purchased for Microsoft Intune and/or Enterprise Mobility Security.

Reference: MDM for Office 365 versus Microsoft Intune

Exchange Administration

Configuring Exchange Email Encryption Rule

Users that are communicating via email, and have a E3 or higher license, can leverage Office 365’s Message Encryption feature. An administrator can also define a mail flow rule to encrypt email messages that contain a keyword in the subject. Encryption with Rights Protection can be leveraged to reduce the ability for users that receive encrypted messages to forward them to unintended recipients, print, or access them within certain time restrictions.

Reference: Define a Mail Flow Rule to Encrypt Email

Define Spoofing Filter Rule

A rule can be created via Exchange Admin Center to set the spam confidence level (SCL) to ‘9’ if the messages sender’s address domain belongs to any of the organizations valid domains and the message is received from ‘Outside the organization.’ A spoofing filter rule definition will help limit the amount of phishing emails that are delivered.

Configure DMARC and SPF Records to Validate Email

Implementing DMARC (Domain-based Message Authentication, Reporting and Conformance) with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is recommended for all organizations. These features provide an additional layer of protection against spoofing and phishing emails. They can also help to reduce the risk of business email compromise attacks. DMARC settings will tell the Exchange servers what to do with messages that were transmitted with the organization’s domain that fail SPF or DKIM validation checks.

A DMARC TXT Record also helps to prevent spoofing and phishing attacks by verifying the IP address of an email's author against the alleged owner of the sending domain. The DMARC TXT record identifies authorized outbound email servers. The destination email server can validate the message that originated from the authorized outbound email servers.

An SPF record is used to define IP’s that are authorized to transmit email for a given domain. This way, if an attacker spoofs the organizations domain from an IP address not on the list it can fail delivery to the recipient automatically.

DKIM should be configured once the SPF and DMARC records have bene created. DKIM adds a digital signature to each email message’s header information. It is highly recommended the DMARC settings are reviewed and deployed with careful consideration such not to disrupt intended mail flow.

Reference: Define DMARC to Validate Email

Define DMARC Failure Rule

After DMARC is configured for an organization a rule should be created in the Exchange Admin Center to direct where mail that fails the DMARC validation is directed. A definition can be created such as ‘Deliver the message to the hosted quarantine’ if ‘authentication-results’ header contains “dmarc=fail” and sender’s address domain portion belongs to any of the organizations valid domains and the message is received from ‘Outside the organization.’ Under Additional properties the Sender address matches should be set to Header.

Define Data Exfiltration Rule Restrictions

Business email compromise can result in attackers configuring mailbox forwarding rules to send a copy of email outside of the organization to a 3rd party email domain. Employees may also desire to send copies of emails to personal email accounts. These forwards reduce the overall security of the organization. A rule can be created in the Exchange Admin Center to reject any messages and include an explanation that client forwarding rules to external domains are not permitted. This rule can be defined if a message is sent ‘outside the organization’ and the message type is ‘auto-forward’ and the email is received from ‘inside the organization.’ It may also be beneficial to configure alert definitions based on these conditions to ensure an account was not compromised. An alert definition can be defined while creating the rule to email a notification to the defined contact upon triggering.

Configure Connection Filters

Enabling the safe list of IP addresses that are permitted for each respective domain can help to reduce trusted senders from getting blocked.

Reference: Connection Filters

Configure Alert Policies

Configuring alert policies can help track user and administrator activities, malware threats, and data loss incidents within each organization. Alerts should be defined for malware incidents, email forwarding/redirect rules, anomaly detection, and suspicious activity at a minimum. It is highly recommended event data is also transmitted to a SIEM solution for correlation and long-term event storage.

Manage Office 365 Secure Score

Microsoft Secure Score will help analyze each organizations Office 365 security based on administrative activities as well as audit security settings and make recommendations. A score is then provided based on the settings and is re-evaluated in an on-going basis. Secure score is a fantastic tool that will help you understand and evaluate how you are offsetting risk by leveraging the various security features across 365. It is highly recommended all of the results are evaluated and considered for your organization. *Note: Settings should be carefully reviewed and exceptions may need to be made to not disrupt mail flow for legitimate emails which are being spoofed intentionally.

Reference: Secure Score Overview

Security & Compliance Features

There exists a multitude of features highlighted below within Microsoft 365 that should be reviewed and configured with appropriate settings. These features should each be used in accordance to the business’s IT Security requirements, the following should also be considered/configured within the Security and Compliance section.

Data Loss Prevention – Policy protection to assist with identifying and protecting sensitive data.

Data Governance – Assists with classifying content, defining retention rules and data destruction.

Classifications – Labels can be applied to email or documents to enforce policies such as retention settings or sensitivity.

Data Privacy – GDPR requirements and access to their personal data.

Threat Management – Threat tracking and attack simulators can be performed to assess risk.

Customer Lockbox

Customer lockbox requests allow organizations to control how a Microsoft support engineer accesses company data when necessary to do so. It is available through the E5 plan or with the advanced compliance license. This feature should be enabled if available.

Reference: Enable Customer Lockbox

Summary

Microsoft has millions of users leveraging Microsoft Office 365 with expectations of over two thirds of its business customers being in the cloud by 2019. Microsoft leverages a defense-in-depth approach in effort to adhere to operational best practices to provide physical, logical, and data layer protections. These layers help to protect all individuals that leverage 365, however, it is the responsibility of each organization that uses 365 ensure their implementation and configuration of their tenant is also configured securely. Each business has the responsibility to review, configure and tune the appropriate settings within the various areas of Microsoft 365’s services to ensure proper risk tolerance levels are met.

For assistance with evaluating your organizations risk or cyber security needs, please contact Pratum at 515-965-3756.

Get our blog posts delivered to your inbox: