It is a long title but it explains exactly what this post is about.
The instructions for setting up simple but profitable social engineering and phishing email campaigns are easily available across the ordinary internet, not just the dark web. The software required is free, both the malicious stuff and WordPress.
Johannes and Jesse La Grew, on the SANS Internet Storm Diary, have written an excellent post on the construction and execution of a business email compromise attack – of which the first steps are a successful phishing email that led to a form that asked for the user’s Microsoft 365 credentials.
By a successful phishing email, I mean one that has not been recognised as such, and so the user has opened the attachment, or followed a link to the malicious payload. In the case described, it was a login page that stole the confidential credentials, but it could have been ransomware installed on the system. Let’s make this worse, the organisation may have not had their Microsoft 365 user accounts configured correctly, and the global administrator login may have been given to the cyber criminals. (We have had to investigate global admin accounts being compromised several times.)
Recognition of social engineering attacks and phishing email is essential for the best cyber security – and my training course will equip you and your team with those skills… and we will discuss what to do if you are deceived and open that attachment or follow that link.
Remember to effectively defend against phishing emails you have to get it right 100% of the time – the cyber criminal is hoping you just get it wrong once.
Clive Catton MSc (Cyber Security) – by-line and other articles
