Cloud based email open on PC Education

Business Email Compromise Check List

As part of my Cyber SOC GitHub repo I’ve put together lots of resources to try and help people with some common cyber security tasks, applicable to CISOs through to SOC analysts.

I also want to highlight one of the most common incident types if you are an Office 365 customer is a business email compromise scenario, so I’ve put together a high level view of the steps you might want to take after a BEC event is discovered:

Read more “Business Email Compromise Check List”
Defense

Minimum Data Requirements for Investigating Email Mailbox Compromise

When a suspected email mailbox compromise is reported, initiating an investigation promptly is critical. However, to ensure the investigation is effective, certain minimum intelligence requirements must be met. This blog outlines the bare minimum data needed to start investigating a suspected email mailbox compromise, whether the intelligence comes from an internal team or a third-party source.

Read more “Minimum Data Requirements for Investigating Email Mailbox Compromise”
Guides

Phishing (Cred harvester) Response

Incident Response Playbook (High Level)

Having a plan for how you will respond to common incidents is key. It’s a good idea to have procedural level “playbooks” (we used to just call these procedures, maybe I’m old!) but let’s get taktic00l and call them:

Playbooks/Runbooks/Aide-mémoire etc.

That aside (words are fun right!) they key part here is to identify the people, roles and responsibilities and the systems/actions/decisions you will need to take. To start with let’s look at a common incident of Phishing with credential harvesting, this may lead onto business email compromise (BEC) and attempted or successful fraud or downstream supply chain attacks.

Read more “Phishing (Cred harvester) Response”
Defense

Post Business Email Compromise actions for Office 365 Users

If you have a business email compromise incident and you haven’t deteced it in a timely manner your fist notification might be a bad experiance, the threat actors may have commited fraud, attemped fraud or simply launched a phishing If you have a business email compromise incident and you haven’t detected it in a timely manner your fist notification might be a bad experience, the threat actors may have committed fraud, attempted fraud, or simply launched a phishing campaign from your environment. If you are in this position, there are some steps you can take from a technical point of view to limit impact and reduce risk of a re-occurrence. This blog is a high-level view at some of the tactical and longer-term activities you can conduct.

Read more “Post Business Email Compromise actions for Office 365 Users”
Copyright (c) Xservus Limited