A successful phishing attack had obtained the password of the head of purchasing department.
This happened while we only had O365 and Microsoft security.
This was the office 365 Password so they had access to his email in the cloud.
We implemented Check Point email protection after the bad guys getting that password but just before they were to commence the main payload of the attack.
So when they started sending lots of emails as that individual to various other individuals both within the organisation and in important government organisations CloudGuard SaaS immediately started marking all of those emails as suspicious and alerted us to this.
It is common practice to implement in monitor only mood for a short while before going into full on prevent so sadly whilst we were alerted to them, those emails actually did go out but we were able to put a stop to it and we had a perfect list of all the suspicious emails which went out and could tell recipients what’s going on.
Since this attack and having gone into full prevent mode (and changed the user’s password) he is still of course under quite extreme attack because they know this is a person whom they have successfully phished previously.
We have seen many and various fishing attempts sent to him which have passed through Microsoft a few admittedly stopped by Microsoft but plenty not. 100% of these have been stopped by CloudGuard SaaS and no false positives for this user. He is on high alert and confirms no new phishing attacks have come through to him since we went in to prevent mode.
On top of this has been implemented the anomalous login feature which has demonstrated that two further users have their passwords compromised at some point in the past and the initial first ‘tester’ login that the bad guys carried out was observed and alerted.
Next we will be able to implement the complex and granular authentication methodologies to ensure that we don’t allow anomalous logon but protect against them in a manner which whilst bringing security does not compromise efficient usability For legitimate users in common situations (ie known user, known machine in a known country - no second factor authentication) - take away any one of those elements and we will automatically request a second for of authentication. This is most likely to be Check Point’s agent on a mobile. It’s the perfect answer to balancing security to usability.
