SPF, DKIM, DMARC and Multi-Factor Authentication (MFA)
TL:DR – If you are not sure you have this protection in place, then you should check with your ICT provider or contact us.
Earlier this week, on 14th April at 9:40 one of our client’s user’s email accounts was compromised. A phishing email which contained a link was responded to and the user entered their Microsoft password.
Once the password was entered the hacker set up a Dropbox account in the user’s name and sent further phishing emails using Dropbox to contacts with a link to a file in Dropbox. The file had a further link which would take anyone clicking it to a fake login page and harvest further credentials. From reports, we can see that the Dropbox emails were being sent from around 11:10.
Within minutes of the email being received, we changed the user’s password and locked and secured the account. The user’s devices were scanned for any malware, viruses and any other remote access tools – none were found.
After the email account was secured, we gained access to the Dropbox account which the attackers had set up in order to “unshare” and delete the file linked in the email. This was at 11:30 am.
The attack had taken place through a VPN provider in Sweden and cannot be traced any further at this time.
Our IT team have been keeping an eye on the situation with the users account for any ongoing intrusion attempts, whilst also monitoring the client systems for further attempts to compromise other accounts and reviewing audit logs to identify any possible compromised accounts.
Some time ago we set up email security for this client preventing the most outright scam emails spoofing (faking) our real addresses, these are known as SPF, DKIM and DMARC.
Today we are implementing Multi-Factor Authentication (MFA) for this client to help prevent further fraud such as this from being successful in the future.
We will be reviewing all systems we use to further secure ourselves and our clients from further attacks of this nature.
If you think your business needs help to ensure it’s secure from such attacks, please contact us today.