Last week Monday, minutes before lunch, I received an email with an invoice link in it from a colleague of mine. That email and the repercussions from that email gave me a very busy week.
Looking at the email I quickly determined that the email was a legitimately sent email, but also knew that the sender would never have sent me an invoice. I was instantly suspicious of the email.
Work I had done over the previous 2 years guaranteed that the email address was not spoofed. It meant that the user account credentials had been compromised. I immediately disabled their user account and rang the person to inform them that they had been hacked.
Unfortunately, 1300 emails had gone out before I disabled the account. Over the course of the coming days we have had to reset the username and passwords of about 2 dozen people. The link in the email was to a malicious website that asked for your username to view the document. You never see the document, but you give your username and password away.. We don’t know how many are unwittingly compromised.
The invoice email was a lure into a sophisticated spear phishing attack. After an account is compromised, the criminals sit and harvest information for days or weeks. During this time, they could gain access to an eBay, PayPal or Amazon accounts. Then start the attack again on others in OM. Ultimately, the criminal is attempting to get money by falsifying bank transfers.
This is not an isolated event. We have had this occur 4 times in a couple of weeks. I have worked with Microsoft to see what we can do to reduce our exposure to these attacks and I think we are making good progress.