Stopping the spread of a sophisticated spear phishing attack
Notion Digital Forensics faced a cyber emergency involving a customer of an IT Managed Service Provider (MSP). The customer was a professional services business, whose head of marketing had their email compromised by a sophisticated spear phishing scam. The professional services firm’s Microsoft Office 365 account was copied, and thousands of business contacts were extracted. Subsequently, those contacts received a targeted phishing campaign. The situation called for urgent measures to contain the breach, assess its impact, and develop a rapid response plan.
Objectives
Our objectives were to swiftly work with the MSP to determine the extent of the breach, identify any compromised information, and ascertain if the breach had spread throughout the organisation. Additionally, we sought to provide information rapidly to the customer, enabling them to reach out to people who received the phishing attack. The value we provide to MSPs lies in our experience handling numerous breach cases, ensuring our decisions are defensible based on available information, our experience, and industry best practices. This approach offers the best chance of recovery.
Approach
We commenced an in-depth investigation to pinpoint the origin of the breach and deployed advanced digital forensics tools to analyse the affected systems. By evaluating the company’s Office 365 logs and the computers of targeted staff, we effectively tracked the breach’s progression and impact on the business. We quickly determined what data was taken and helped to rapidly contain the extent of the breach. Furthermore, we provided information to Google and Microsoft to have the phishing URLs blacklisted.
Results
Our investigation identified the initial source of the breach, allowing us to contain it effectively. We found that the intrusion had not spread to other parts of the business, minimising the overall impact. We were able to ascertain the specific information that had been stolen, enabling us to inform the affected customers promptly. By working with providers like Google and Microsoft, we were able to prevent further victims from falling into the trap of the criminals.
Conclusion
Notion Digital Forensics’ timely intervention and comprehensive investigation helped the professional services business mitigate the breach’s effects. Our expertise in digital forensics enabled the company to regain control over their systems, reassure their customers, and safeguard their reputation in a timely manner.