SystemExperts Corporation is aware that many companies are seeing spear-phishing attempts where the emails purport to be from internal employees. We have also heard reports that compromised email accounts have been used to send spear-phishing emails to third-parties and the owner of the compromised accounts do not see the emails being sent on their behalf, nor the responses to those emails. As a result we make the following types of recommendations:
- Create inbound filters that block email that contains a valid internal username, but the address has a domain name that does not match the internal domain name. How to achieve this depends on the particular company’s infrastructure and SystemExperts has been able to provide detailed instructions specific to the infrastructure of our clients.
- Create an alert to notify staff members responsible for email security, the alert should be triggered on the creation of any new mail processing rules that forward an employee’s email to an external email address or new rules that automatically delete an employee’s email messages based on regular expression in the subject line or message body. The rules should then be reviewed by those responsible for security so that they may determine if the email account has been compromised.
In addition we also recommend the more traditional controls:
- Security awareness training that educates users about spear-phishing and what to look for – this includes recognizing, avoiding and reporting suspicious emails.
- Enable SPF, DKIM, and DMARC to check that an email was indeed sent and authorized by the owner of that domain.
- Install, maintain and update current anti-virus controls on all endpoints and the email servers, preferably, different anti-virus software on the endpoints versus the servers.