So, true story (from about a year ago)… it was a normal day in the office I grabbed coffee at the Keurig to return to my desk, signed into my notebook and looked at the Helpdesk que, nothing super new my boss walked in I said hi like normal. About an hour later I get a weird message from our CTO saying that he received a message from a Law Office with a bill attached in a zip file he wanted me to take a look at it.
Now would be a good time to point out everything wrong with this message. First of all it has an attached .zip file,
– nobody should put a bill in an attached zip file unless they are trying to encrypted what they are sending and even if that were the case my boss should have gotten an out of band message with the decryption key (out of band meaning the law office should have contacted him and told him what the password was).
– mentioned above, our CTO was not expecting the message… if they had contacted him it would have been less fishy, he would have expected the bill and known what caused it.
– misspelled or unprofessional looking email, dead give away that whoever wrote it was probably not the law firm in question.
I opened up a CentOS based VM with a desktop user interface from a snapshot, opened my my mail, download the zipped attachment, cut the virtual network the vm was on and unzipped the message. Sure enough in libreoffice the document said in big red letters “in order to display this document you need to enable macros” yep, its malware… surprise?
So lets recap, CTO gets a email from a law firm that looks fishy, sends it to me, i grab the attachment, loaded with malware….
Heres the disturbing part at the beginning, it was sent from that law firms email server. The origin of the message was made blatantly obvious by the original message header. so I proceeded to the next step call the law firm.
“ring ring ring”
me – “hi this is austin janey from company I worked for previously I just received an email from you thats got a nasty malware attachment”
law firm – “were sorry we think our servers been compromised we have an IT contractor looking into it”
took their domain name went to mxtoolbox found out that they didn’t have SPF or DMARC setup at all. This is something I see fairly often, if you don’t have SPF setup then anybody can basically send email as you thats not what was happening here but might have been a contributing factor, and not having any reporting enabled also means when you are being spoofed theres no way for you to know about it.
Heres what is happening here, one way or another the firms exchange server was compromised and the attacker/bot/malware infection was using their server to send mail to all their clients, mail that had malware called ransomware. This is the cost of doing email wrong, a lot of companies think that because they don’t harbor sensitive data they don’t need to take basic security measures this is negligence. The most valuable thing you or your company owns is your name, the second most valuable thing you have are your customers and friends, the third most valuable thing you have to a hacker is your ability to exploit the first 2 things for their own personal gain.
I doubt this law firm is still conducting business, and it sounds like they might have quite a legal battle ahead of them if any of their clients were to receive said email and become subsequently infected.
So how would someone prevent this from happening.
1. make sure you have correctly configured SPF and DMARC records.
2. make sure your exchange server has a strong password set (and 2fa if its supported) and outgoing spam rules so that if you do get compromised the impact is minimized.
3. if possible enable mail attachment scanning and prohibit certain types of files from being emailed all together.
4. user training, teaching users of your mail system to identify what bad email looks like can go a long way, if nothing else teach them to question anything that they receive that calls them to do something they didn’t expect to receive or do.