We are seeing an uptick in phishing emails at the college. In the most recent attack, an attached pdf was used to phish for email user names and passwords. The security team is asking me if I can block a specific file, in this case a pdf, from being opened.
Outside of the obvious security training, which we do and require each user to take an extensive online training to accustom themselves to these things, is there something we can do to protect the user?
Is it possible to block a document from being opened? I know the restricted software area looks for specific process names and we can block that process. Thoughts on how this might be accomplished? We generally know the name of the document in this case, I just don’t know if there is a way to remove it/block it from being opened.
We use Avast and I don't see a way internal to the program to do this either.
Does the security team have a way to manage this better via your email server (exchange)?
We've seen similar uptick and handle most of the cleanup/prevention on the mail server side. No matter how much user training you do, there's always a small percentage that clicks the link, opens the attachment, etc.
Shouldn't the security team be able to block said attachment within the spam filter, assuming they have one?
If not you could make a policy that uses the search for file by filename feature in "Files and Processes" and then delete from there. We used a similar process using spotlight to create a list of people that had a file that was not supposed to be sent out. We used it as an extension attribute and the dealt with the list as we found it.
#!/bin/bash UhOh=$(mdfind -count "Bad_FileName") echo "<result>$UhOh</result>"
I love it.
As I have been dealing with Adobe packaging and other things today, it didn't even dawn on me that the security team and exchange teams should be coordinating on this. I suspect though, they are searching for secondary lines of defense, just in case. Thanks for all of the quick replies.
We had users phished this weekend and I asked over in slack... I'd love a plist in Outlook for Mac to disable links. I think some of our users click through on their phones, but every one we could stop would be a win.
FWIW, you can submit the phishing link to google here:
In my test last week, Chrome blocked the site almost instantly when I did that. I asked Apple if there's anything similar for Safari, too.
Late to the thread, but this is why JamF should consider hosting their own mailserver for cloud user, as we drop mail with SPF fail*, enrolment emails does not enter. This also make way for enabling DKIM.
*) Yes I can and have added the IP address used currently to resolve the SPF fail.. but thing changes over time