Detecting and Containing Spear Phishing Attacks
Published:
Our cyber security experts work around the clock to detect and respond on cyber threats, keeping our customers and society protected. Recent events have indicated a higher risk for spear phishing, which is a highly sophisticated type of phishing leading to a high number of successful compromises. A spear phishing attack can be targeted towards a specific company or a specific person within that company, and in this blog post we share insights from recent incidents and what you need to be aware of.
What happens during a spear phishing attack?
Most phishing starts with an email, but they can also be sent as text messages, phone calls, or similar communication. In a recent incident, examined by NTT Security, an employee in a leading position got an email with a login QR-code for Office365. The email seemed legit and contained a link to a landing page that imitated the Office365 login-page. The fake page was acting as an intermediary between the victim and the legitimate Office365 service, thus it was able to capture the signing tokens as the employee signed in. The victim was unaware that access has just been provided to the victim’s email account.
Security analysts at NTT Security discovered that the phish page was part of the “dadsec” phishing as a service platform, and our team´s investigation concluded that the impact was limited to exfiltration of the user’s email. The Threat Actor would likely have caused further damage, however due to the rapid remediation actions performed by the client team in collaboration with NTT´s experts, disabling the affected account, no further impact was seen.
How do we help our clients in the regards of spear phishing?
The incident mentioned above, was detected by NTT Security´s Managed Detection and Response (MDR) service through alerts fetched from the Microsoft Defender Suite. Our Incident Response team supported the client to understand the full extent of the incident such as operations taken by the attacker by investigating all available telemetry and threat intelligence around the threat actor, as well as recommending hardening options to avoid further incidents. Our MDR service is integrated with all major security vendors so we can create more value of your existing security infrastructure.
What is the worst outcome from a spear phishing attack?
Worst case scenario would be if the stolen credentials are shared on other services combined with high user-privileges, making it possible for the attacker to conduct password resets in order to get access to webpages where the same email address is used for login. The attacker might also use the the access to vicim emails to send impersonation emails to colleagues with for example fake invoices. There is also a risk of leakage of sensitive data, for example if the company is publicly listed.
How to detect and defend against spear phishing attacks
1) Monitor and review suspicious account logins, to detect and respond to incidents quickly either through your own Security Operation Center (SOC) or a MDR Partner
2) Recognizing suspicious emails is key to avoid becoming a victim. It’s essential to have continuous training for the employees on how to detect phishing
3) Ensure procedures exist for when incidents do happen, through for example Tabletop exercises and established Incident Response Partners to contact. Our Incident Response Team works around the clock, always ready to help you. Reach out to our hotline in case of a suspicious breach or attack: +468 30 69 70
4) Verify that the page is what it claims to be and contact your administrator if you are uncertain. Spear phishing can be very convincing so verify details on the login page