Skip to main content
Question

Stop phishing attempts...

  • February 28, 2017
  • 8 replies
  • 42 views
M
Forum|alt.badge.img+20

We are seeing an uptick in phishing emails at the college. In the most recent attack, an attached pdf was used to phish for email user names and passwords. The security team is asking me if I can block a specific file, in this case a pdf, from being opened.

Outside of the obvious security training, which we do and require each user to take an extensive online training to accustom themselves to these things, is there something we can do to protect the user?

Is it possible to block a document from being opened? I know the restricted software area looks for specific process names and we can block that process. Thoughts on how this might be accomplished? We generally know the name of the document in this case, I just don’t know if there is a way to remove it/block it from being opened.

We use Avast and I don't see a way internal to the program to do this either.

Thoughts?

8 replies

C
Forum|alt.badge.img+17
  • CasperSally
  • Honored Contributor
  • February 28, 2017

Does the security team have a way to manage this better via your email server (exchange)?

We've seen similar uptick and handle most of the cleanup/prevention on the mail server side. No matter how much user training you do, there's always a small percentage that clicks the link, opens the attachment, etc.

A
Forum|alt.badge.img+10
  • ammonsc
  • Contributor
  • February 28, 2017

Shouldn't the security team be able to block said attachment within the spam filter, assuming they have one?

If not you could make a policy that uses the search for file by filename feature in "Files and Processes" and then delete from there. We used a similar process using spotlight to create a list of people that had a file that was not supposed to be sent out. We used it as an extension attribute and the dealt with the list as we found it.

#!/bin/bash

UhOh=$(mdfind -count "Bad_FileName")

echo "<result>$UhOh</result>"
A
Forum|alt.badge.img+10
  • ammonsc
  • Contributor
  • February 28, 2017

M
Forum|alt.badge.img+20
  • mconners
  • Author
  • Valued Contributor
  • February 28, 2017

I love it.

As I have been dealing with Adobe packaging and other things today, it didn't even dawn on me that the security team and exchange teams should be coordinating on this. I suspect though, they are searching for secondary lines of defense, just in case. Thanks for all of the quick replies.

C
Forum|alt.badge.img+17
  • CasperSally
  • Honored Contributor
  • February 28, 2017

We had users phished this weekend and I asked over in slack... I'd love a plist in Outlook for Mac to disable links. I think some of our users click through on their phones, but every one we could stop would be a win.

FWIW, you can submit the phishing link to google here:
https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

In my test last week, Chrome blocked the site almost instantly when I did that. I asked Apple if there's anything similar for Safari, too.

acodega
Forum|alt.badge.img+15
  • acodega
  • Valued Contributor
  • February 28, 2017

Security should also be looking at SPF, DKIM, and DMARC on their MX and/or DNS.

M
Forum|alt.badge.img+20
  • mconners
  • Author
  • Valued Contributor
  • February 28, 2017

I have sent some of these ideas over to our security analyst for his viewing pleasure. Thank you everyone for sharing your ideas here.

M
Forum|alt.badge.img+1
  • mkeri
  • New Contributor
  • September 13, 2018

Late to the thread, but this is why JamF should consider hosting their own mailserver for cloud user, as we drop mail with SPF fail*, enrolment emails does not enter. This also make way for enabling DKIM.

*) Yes I can and have added the IP address used currently to resolve the SPF fail.. but thing changes over time

Terms & ConditionsCookie settingsAccessibility statement