Protecting Your School From The Latest Phishing Scam

Share This

Around January 29th 2019 a wide range of phishing emails were sent to schools across the country and continue to spread like wildfire. The scam works a little like this;

  • User receives phishing email asking to ‘Click here to display message”
  • User is redirected to a fake login page telling them their session has expired (or variation of)
  • User logs in with email and password
  • The ‘Hacker’ now has these credentials
  • The compromised email account is used to send emails to as many people on the contact list as possible, often replying to past emails with the same subject line, making the victim believe it is a legitimate email.
  • The process is repeated & due to the nature of schools, most users will collaborate with other schools, hence why 100’s of schools are receiving these messages.

 

Protecting User Accounts

You’d think a common phishing scam would be easily flagged up by your email provider, according to Microsoft  “We’ve built multiple spam filters into your Office 365 or Exchange Online Protection (EOP) service, so your email is protected from the moment you receive your first message.” – Apparently not.

Two/Multi-Factor Authentication (MFA)


One of the greatest things you could do to protect your email accounts is to enable Multi-Factor Authentication, okay it can be a pain in the backside having to open your phone app everytime you want to log in on a new device, but it will protect you from other people logging into your account.

To enable MFA head to your Office365 Admin > Users

Under ‘More’ you will find setup Azure MFA

Here you can select which users you would like to enable MFA for, if you want to enable it for all staff you can use the Update in Bulk tool

Blocking emails based on regular expressions


Another way to protect your users is to add a quarantine filter based on regular expressions in order to catch known spam.

In this current attack the emails have contained the school name, time and a date in long format like this:

Your domain would be substituted with the first part of your domain name, stripping the TLD for example Yourschool.lancs.sch.uk would just be Yourschool.

Because the date and time will change each time, Edugeek user Katy has provided the following regex codes to block emails based on the regular expression.

(DomainNamesHere) \d{2} \d{2}-([a-zA-Z]{3,9})-\d{4}.

\d{2}:\d{2}:\d{2} \d{2}-([a-zA-Z]{3,9})-\d{4} \((DomainNamesHere)\)

[13][a-km-zA-HJ-NP-Z1-9]{25,34}\s

(Yourdomain) \d{2}:\d{2}:\d{2} \d{2}-([a-zA-Z]{3,9})-\d{4}

Now you may be wondering what this means (like i was), the \d{2} means any digit between 0-9 and that there must be 2 of them {2} – This equates to the time so \d{2}:\d{2}:\d{2} could be any time between 00:00:00 & 99:99:99. ([a-zA-Z]{3,9}) is the month section, so any letters between 3 and 9 characters long, the \d{4} is the year, so any digits 0-9 and there must be 4 of them.

I know that probably will not make much sense but have a play on Regexr.com and you should understand pretty quickly.

To add these head to EAC (Exchange Admin Centre) and click ‘Mailflow’

Click create new rule

On the pop-ip, give the rule a name and click more options

Apply rule if: The subject or body matches: these text patterns

(this is where you enter the regex patterns, one at a time)

Do the following, redirect the message to hosted quarantine

This should catch most of the current wave of spam emails. To check your quarantine go here > https://protection.office.com/#/quarantine

WARNING: This could also catch legitimate emails, i would monitor the quarantine closely and allow any that may be false positives. 

 

Configuring Outbound Spam Policy


This for me is one of the more ‘Useless’ settings but worth configuring none the less. As stated earlier, Office365 has built in spam protection (allegedly), there is a ‘Default outbound spam policy’ but unfortunately its not as configurable as you’d expect.

Enter the Exchange admin center (EAC), navigate to Protection > Outbound spam, and then double-click the default policy.

Here you can enable the two options and have any emails marked as spam sent to your inbox

Send a copy of all suspicious outbound email messages to the following email address or addresses.

This will not block the messages but will give you an indication of which accounts are sending spam.

Removing spam that has already made it to users mailboxes


Unfortunately our school was hit, one of the compromised accounts send the email to ‘All staff’ as well as certain staff individually. To avoid further damage i deleted the offending emails from all users mailboxes in the hope that i could remove it before they had chance to click the link.

To do this in Exchange Online (o365) follow these steps..

  1. Head over to Exchange Admin Center > Permissions > Admin Roles.

You will need to add your admin account to the following four admin roles, you can do this by double clicking and choosing ‘members’

Compliance Management | Discovery Management | Organisation Management | Recipient Management

Once you are a member of these groups, head over to Security & Compliance admin centre > Search & Investigation > Content Search

Hit New Search

You can tweak the search criteria based on the email you are trying to remove, if you know who has sent it, and what date, enter their email as the sender and the date they sent it

Once you’ve added the criteria based on the email you’re trying to remove, click Specific Locations (modify) and select the one which contains Exchange/Onedrive/Sharepoint

Save and Run.

After the search has finished you should have a preview of the messages it’s found. If you’ve recently added your permissions it could take up-to 4 hours before you can use the preview feature.

If you are happy the emails you want to delete have been found then continue, if not tweak your search til you find them.

Over to Powershell..

For the next part you will need to use Powershell. Open and elevated powershell window and type the following

$UserCredential = Get-Credential

You will receive a prompt, enter your O365 admin credentials.

Next you should enter the following command

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $UserCredential -Authentication Basic -AllowRedirection

You now need to set the execution policy to bypass, you can do this with

Set-executionpolicy Bypass

Choose Yes

Run the next 2 commands

Import-PSSession $Session -AllowClobber -DisableNameChecking

$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)”

Now you are ready to delete the contents of the search, to do this use the following command, replace ‘Your Search’ with the name of your content search

New-ComplianceSearchAction -SearchName “Your search” -Purge -PurgeType SoftDelete

Choose Yes.

The emails that were found in your content search will now be removed from all users mailboxes.

 

Did you enjoy this article?
Signup today and receive free updates straight in your inbox. We will never share or sell your email address.

Leave a Reply

Your email address will not be published. Required fields are marked *