Phishing Clean Up Procedure
Phishing Clean Up Procedure.
If the user clicks on a phishing link, and if the ‘Adversary in the middle (AiTM) use case is triggered, the user’s active sessions will be reset, and their account will be disabled by a logic app automatically.
A notification will be sent to the Global Desktop Meeting Group distribution as well as SRG.
Please follow the following remediation steps:
-
Activate Incident Response (IR) Procedures:
- Confirm that you are dealing with a real incident and gather incident details.
- Interview the affected user(s) who clicked on the phishing email.
- Gather information about what happened, what they saw, and any suspicious activity.
-
Identify the Phishing Email:
- Identify the email with the malicious link or content.
- Report the phishing email using Phish Alert.
-
Inspect Mailbox Rules:
- Review mailbox rules for any suspicious rules created by attackers.
- Document, then delete unauthorized or malicious rules.
-
Check Multi-Factor Authentication (MFA) Settings:
- Verify that MFA settings were not modified.
- Reset MFA registrations if modifications are identified.
-
Change User Passphrase:
- The IT staff should reset the user’s passphrase to random characters.
- Enable the user’s account.
- The user should then reset their own passphrase using self-service passphrase reset option.
-
Document the Incident:
- Maintain detailed records of the incident, actions taken, and lessons learned.
- Use this information to improve future incident responses.