Not too long ago, a customer reached out to us with alarming news – a C-level executive in their organization had fallen victim to a phishing attack.
Since they’re using our HIPAA Compliant Email API, they wanted to know if we had any additional solutions for email security that could help them.
I asked our customer contact if they had access any emails from the phishing attack they could send us for diagnosis. Minutes later, I got a few.
This post explains how we helped them with their phishing problems.
Problems with Office 365 Email Security
As we’ve seen many times this year, HIPAA organizations (Covered Entities and Business Associates) are submitting HIPAA Email Breach reports to the HHS Wall of Shame because of successful phishing attacks.
An alarming number of those successful phishing attacks are happening to organizations using Office 365 for email.
As you may have guessed, our customer was also using Office 365 for corporate email.
Inspecting the Phishing Attack
When we inspected the phishing attack, we immediately saw that someone in Finance, let’s call them CFO, got an email purportedly from their CEO, asking to setup a payment to a vendor.
The “from” email address, although it contained the CEO’s name, was actually sent from a domain name called office-secure-ssl-mail-apps-server1099-portal.management.
With names removed, it looked like this:
From: CEO [firstname.lastname@example.org]
Sent: Thursday, June 28, 2018 10:26 AM
Can we setup payment to a vendor today ?
In larger organizations, it only takes a few minutes of scraping the internet to discover names for the entire C-Suite management team.
Since the attacker already had first and last names of the CFO and CEO, they relied on urgency, notice they used the word today, to exploit the attack.
DomainAge: An Effective Method to Combat Phishing Attacks
Phishing attacks like this are nothing new, although Office 365’s repeated inability to stop them is.
Here’s why this Phishing attack evaded Office 365:
- The email came from a domain called office-secure-ssl-mail-apps-server1099-portal.management.
- At the time the email was sent, the domain and the IP behind it were not on any blacklists. In other words, office-secure-ssl-mail-apps-server1099-portal.management had a neutral reputation on the internet.
- Within 4-6 hours, most security providers will catch on this domain and blacklist it.
- But before that happens, the attackers have already registered more domain names and are repeating the same attack under a new, neutral domain name. As an aside, there are domain registrars out there that allow automated domain name registration, which is a topic all unto itself.
- The process repeats over and over again. Using standard detection methods, the good guys can never catch up.
What if however, you thought about things differently?
Due to our deep domain expertise in email, we’ve already built solutions to phishing attacks like these. One of them is a powerful tool we’ve built in-house called DomainAge.
DomainAge is part of our Inbound Email Security Solution.
Here’s how DomainAge works:
- The same email comes from a domain called office-secure-ssl-mail-apps-server1099-portal.management.
- Paubox does a quick check on the age of the domain.
- Turns out the domain was registered the day before the email was sent.
- Why would anyone be sending email like this from a domain name that was registered yesterday? Paubox immediately Quarantines the email, preventing it from reaching the recipient’s inbox.
- Phishing attack stopped in its tracks.
Conclusion: Paubox <> Office 365 Integration
We were able to help our customer with their phishing problems by wrapping our HIPAA compliant email solution around their Office 365 setup. With proper preparation, we were able to setup Inbound Email security for their entire organization in under 30 minutes.