TinyInfoSec

Business Email Compromise (BEC) isn't fun for the owner of the compromised mailboxes, or the folks on the receiving end of phish sent from those compromised mailboxes.  This post is for those in the latter camp, a place I've been on a couple of occasions in my career.  In one instance the bad actor got rather ambitious and sent numerous phishing messages to my organization - all were leveraging existing threads in multiple mailboxes, and using at least one of three malicious hyperlinks. Here is how I attacked the problem with Sentinel: We blocked inbound mail from the source to stop the bleeding, and then went about identifying the messages involved: let suspectmessages = ( EmailEvents | where SenderFromDomain contains "sourceofphish.net" ) | summarize by NetworkMessageId; EmailUrlInfo | where NetworkMessageId has_any (suspectmessages) | summarize by Url Of course this could also be done in MS 365 Advanced Hunting, but I was SO HAPPY when email data was add...

If you use KnowBe4 to perform phishing assessments of your company, you know that a handy feature is the map of the world showing where people clicked on assessments.  Under: Phishing > Campaigns > Inactive > (Click on a finished campaign) Scroll down to "Failure by IP Address Location".  If you know all of your staff is based in the Canada and see that someone fell for a phishing message in Madagascar, you're thinking that either someone is on vacation, or the mailbox has been compromised .    Red Alert! Or not.  I had a situation where I had a failure on an IP address in Israel.  I confirmed that the recipient of that message was not on vacation to the middle east and was not using a VPN. This prompted an investigation seeking any suspicious activity involving the user account in question and any suspicious activity or successful logons from unexpected countries.  Passwords were changed, meetings cancelled, and I was JUST about to call ...