Stop phishing attempts...

mconners
Valued Contributor

We are seeing an uptick in phishing emails at the college. In the most recent attack, an attached pdf was used to phish for email user names and passwords. The security team is asking me if I can block a specific file, in this case a pdf, from being opened.

Outside of the obvious security training, which we do and require each user to take an extensive online training to accustom themselves to these things, is there something we can do to protect the user?

Is it possible to block a document from being opened? I know the restricted software area looks for specific process names and we can block that process. Thoughts on how this might be accomplished? We generally know the name of the document in this case, I just don’t know if there is a way to remove it/block it from being opened.

We use Avast and I don't see a way internal to the program to do this either.

Thoughts?

8 REPLIES 8

CasperSally
Valued Contributor II

Does the security team have a way to manage this better via your email server (exchange)?

We've seen similar uptick and handle most of the cleanup/prevention on the mail server side. No matter how much user training you do, there's always a small percentage that clicks the link, opens the attachment, etc.

ammonsc
Contributor II

Shouldn't the security team be able to block said attachment within the spam filter, assuming they have one?

If not you could make a policy that uses the search for file by filename feature in "Files and Processes" and then delete from there. We used a similar process using spotlight to create a list of people that had a file that was not supposed to be sent out. We used it as an extension attribute and the dealt with the list as we found it.

#!/bin/bash

UhOh=$(mdfind -count "Bad_FileName")

echo "<result>$UhOh</result>"

ammonsc
Contributor II

7ec617ba509940e4b46bed870b534bf5

mconners
Valued Contributor

I love it.

As I have been dealing with Adobe packaging and other things today, it didn't even dawn on me that the security team and exchange teams should be coordinating on this. I suspect though, they are searching for secondary lines of defense, just in case. Thanks for all of the quick replies.

CasperSally
Valued Contributor II

We had users phished this weekend and I asked over in slack... I'd love a plist in Outlook for Mac to disable links. I think some of our users click through on their phones, but every one we could stop would be a win.

FWIW, you can submit the phishing link to google here:
https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en

In my test last week, Chrome blocked the site almost instantly when I did that. I asked Apple if there's anything similar for Safari, too.

adamcodega
Valued Contributor

Security should also be looking at SPF, DKIM, and DMARC on their MX and/or DNS.

mconners
Valued Contributor

I have sent some of these ideas over to our security analyst for his viewing pleasure. Thank you everyone for sharing your ideas here.

mkeri
New Contributor

Late to the thread, but this is why JamF should consider hosting their own mailserver for cloud user, as we drop mail with SPF fail*, enrolment emails does not enter. This also make way for enabling DKIM.

*) Yes I can and have added the IP address used currently to resolve the SPF fail.. but thing changes over time