Trying to stop an Attacker...

Mark Plier
Mark Plier used Ask the Experts™
on
For the past couple of months, an attacker has been sending my company emails trying to get us to install a RAT. Somehow, he knows the services we use (VoIP providers, etc) and sends emails as them. I've traced his originating IP using the email header data and he traces back to a server rental farm in Japan. I've reported him to them 3 times, but to no avail. Any ideas on how to stop this guy? We cant block the domains, as they are legitimate domains we receive emails from.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
You can try to block emails by their message headers instead of domains (assuming that they're forged emails). This is what we've started doing at my company in order to slow the rate of phishing attempts.

Assuming you're in the US, you can try to report to security vendors that you work with. They might have more sway.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
Do all the legitimate domains that you receive mail from have SPF configured, if so use these SPFs to block mail from invalid relays
Distinguished Expert 2018
Commented:
Also, you might want to review and look at how you can enhance your security policies and processes. Additionally, be sure to contact partners on how you'll communicate certain types of information (i.e. change in bank accounts, etc). This is a common one that parties try to scam as well.

Law enforcement would be more prone to be willing to get involved when a breach actually occurs, which would not be ideal. Have you also checked for any signs of a breach or data exfiltration from departments like finance? For someone to know who your vendors are and so on, they had to get access to something within your network at some point in time. Getting assistance from a security vendor might not be out of the question for you. While this is certain an issue, you want to locate any bigger issues and also nip them in the bud.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Natty GregIn Theory (IT)
Commented:
Do you have a safe sender list, so emails from senders you trust gets in and those you don't gets blocked.
A trusted third party spam filter will work

You can use PFblocker in PFsense to block ips and ips originating from those countries, that normally attack networks
Mark PlierDirector of IT

Author

Commented:
I'm really liking the idea of blocking by header as they are all coming from the same IP (the one hosted server)

How would I go about this in Exchange? We are hosted with Office 365
Distinguished Expert 2018
Commented:
So you need to go to the mail rules within the Exchange Admin Center, create a new rule. When the window comes, up, click on More Options at the bottom.

Here's a screenshot showing message header related choices:
O365 Message Header Mail Rule
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooter
Commented:
I believe you'd add a connection filter for the IP address in question in the Exchange Administration pane.
https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx
Distinguished Expert 2018

Commented:
Answered

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial