Hi guys, not sure what’s been going on in the criminal underground but across the board we’ve been receiving reports of a dramatic increase in phishing emails and business email compromise. That’s been across all industries, especially those using Microsoft Office 365 for email. As if we don’t have enough problems, now this!
Although we’ve reached out to the FBI for guidance, what we’ve noticed is that a lot of these emails are coming from a compromised service, specifically notion.so which is a legitimate service but they’ve clearly been compromised and now distributing malicious payloads to users mailboxes. Worst of all, these emails have been in disguised as people who sent emails in the past.
From: Admin Assistant <trustedemail@domainname.com>
Sent: Wednesday, June 17, 2020 10:18 AM
Subject: FOLLOW UP
Jennifer Vasquez shared a file to you to review, find pdf link below.
Please Follow Ref#BCI02368832<https://www.notion.so/SECUREFILE-957c0d851f1444a39a184489e8a65e07>
This email contains a secure link to Onedrive. Please do not share this email, link, with others. Questions about the Document(s)?
If you need to modify the document(s) or have questions about the details in the document(s), please let me know.
The Takeaway
Step 1 is to figure out if anyone from outside of the country has been able to successfully log into your users account without permission. To check this, login to portal.azure.com with your Office 365 credentials and click on Azure Active Directory.
Step 2 is to turn-on 2 factor authentication for your Office 365 users. To be fair, this should really be enabled for all of your employees. But, that’s up to you. Either way, it’s easy to turn on, just go to the list of Office 365 users in your account, click on any user to edit and click on Manage multifactor authentication. From that portal you can turn on or off MFA for any of your users. What this is going to do is either text your users a code or require them to approve a login from the Microsoft Authenticator app before being they can log into their account. Don’t worry – it won’t ask them to enter a code every time, only when they add a new device to their account. The Authenticator app is free and can be downloaded onto android or iOS devices although text messaging is easier if you have to enable this on a lot of accounts at once.
Be on the lookout guys as we have been seeing a lot of this lately. It’s a real problem and if you are in charge of IT, you know how quickly this can get out of control. I encourage you to make sure you have a good security awareness training program in place so that users don’t get duped by these clowns.
Stay safe out there.