Supply Chain Phishing Attack Thwarted

Kriston Technology Limited successfully intervened when a client’s supplier suffered a phishing attack that compromised their Microsoft 365 account, resulting in the unauthorised sending o f phishing emails and disruption of normal email operations. Leveraging their expertise, Kriston Technology not only secured their own client but also assisted the affected supplier by removing the attacker’s access, recovering deleted emails, and restoring normal email functionality. Their swift and professional response provided reassurance and peace of mind to the supplier’s Managing Director, prevented further spread of the attack, and demonstrated the value of proactive, expert-led cyber security support for SMEs.

“I really didn’t know what was going on, other than I was sending out phishing emails,
and I didn’t know which way to turn. Thankfully, Kriston Technology stepped in and offered assistance, without a second thought. They were patient and extremely competent and handled the incident with skill. Thank you.”  

After the detection of a phishing attack on one of our clients, we followed the chain of attack back to its source. The attack involved a compromised supplier, when we alerted them to the issue, they were aware of something going on, but with no IT support, and limited IT experience in house they were at a loss as to what to do and how to investigate the issue.
They’d spoken to a local IT company that had fixed their computers in the past and the advice given was to turn off Wi-Fi and disconnect from the Internet.

We’ve seen similar attacks and resolved Microsoft 365 account breaches in the past, and this incident had the look and feel of a classic account breach. 

The Kriston Technology Approach

Kriston Technology Limited not only verified that our client was safe and secure but offered assistance to the supplier in question to help remove the hackers access from their systems and investigate the compromise that led to the phishing attack on our client.

1. Verify our existing client was secure and protected

Our first course of action was to check for further deliveries of the phishing email. Put a block in place on the domain, document the URL involved in the phishing attack to share with our cyber group, and put a block on the URL within our Endpoint Detection and Response solution to prevent anyone from accessing malicious content.

Within Microsoft 365 we then zapped (deleted) the emails form mailboxes and reached out to any users effected. During the course of the investigation, we reset the password of one user who’d click the link as a precaution.

2. Provide cyber security assistance to our client’s supplier

Although they weren’t a customer, after an open an honest conversation with their Managing Director (MD) it brought home the predicament they were in and suspecting the advice they’d been given so far wasn’t going to resolve their compromise or improve their situation, we offered our assistance.

We connected to the MD’s computer and started out investigation.

There were multiple steps taken:

• Reset the password and Multi Factor Authentication and revoked all existing sessions.
• Checked sign-in and audit logs to identify the time, date, and details of the compromise. We were limited by the lack of permissions and the MD not knowing or having an admin account. But we could see several logins from browsers not used by the MD.
• Next we dived into email to investigate the missing emails and the phishing emails that were sent out. An Outlook WebApp inbox rule title ‘.’ Had been created. The rule was set o mark all received email as read and then delete all new emails, hence the appearance of not receiving any emails. On removal of this rule, mail flow started to work normally.
• We then recovered all the deleted emails from the date of the compromise.
• We identified two OneNote notebooks that had been used in the attack and removed them.
• Without further admin permissions we were limited in any further investigations, so we left the MD to try and obtain the password from the company that originally setup their Microsoft 365 tenant.

The MD managed to obtain an admin username and password, so we were able to continue our investigation and check audit logs

The Results and Benefits

Put yourself in the position of the Managing Director for a minute where you’ve unknowingly emailed hundreds of contacts, and you aren’t receiving any emails back, but start to receive Teams messages and telephone calls to query whether you last (phishing) email was legitimate or not.

It’s a horrible position to be in and can be really scary when you’re stuck in the eye of the storm, not knowing what to do.

1. Attacker kicked out
We removed the attackers access from the compromised account, and secured it for the MD.

2. Recovered emails and restored Outlook functionality
We removed the inbox rule placed by the attacker and recovered all emails that had been deleted.

3. Removed suspicious files from OneDrive
We deleted the associated files from OneDrive involved in the phishing campaign.

4. Provided Reassurance and Peace of Mind
Most importantly, we provided the Managing Director with the reassurance that the incident had been resolved, and the peace of mind they have somewhere to turn to in future.

Conclusion

Our professional and timely response to a company that wasn’t a customer was the right thing to do to help a business in need. Not only did our actions further protect our existing client but also protected dozens of other businesses from further phishing attacks.

“Thankfully these types of incidents are an exception and although becoming more common, are not a day-to-day occurrence, but even so, we’ve experienced enough of them to have a detailed runbook to allow us to quickly remove access, investigate the compromise and recover data.

When an incident occurs, it can be frightening for the end-user, and a swift response always provides a better outcome. I’m delighted with the actions of our team, and by going the extra mile to help someone in need, we’re delighted that they’ve become our latest new client.”

Technical Director, Kriston Technology