Trying to stop an Attacker...

For the past couple of months, an attacker has been sending my company emails trying to get us to install a RAT. Somehow, he knows the services we use (VoIP providers, etc) and sends emails as them. I've traced his originating IP using the email header data and he traces back to a server rental farm in Japan. I've reported him to them 3 times, but to no avail. Any ideas on how to stop this guy? We cant block the domains, as they are legitimate domains we receive emails from.
Mark PlierDirector of ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can try to block emails by their message headers instead of domains (assuming that they're forged emails). This is what we've started doing at my company in order to slow the rate of phishing attempts.

Assuming you're in the US, you can try to report to security vendors that you work with. They might have more sway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Do all the legitimate domains that you receive mail from have SPF configured, if so use these SPFs to block mail from invalid relays
Also, you might want to review and look at how you can enhance your security policies and processes. Additionally, be sure to contact partners on how you'll communicate certain types of information (i.e. change in bank accounts, etc). This is a common one that parties try to scam as well.

Law enforcement would be more prone to be willing to get involved when a breach actually occurs, which would not be ideal. Have you also checked for any signs of a breach or data exfiltration from departments like finance? For someone to know who your vendors are and so on, they had to get access to something within your network at some point in time. Getting assistance from a security vendor might not be out of the question for you. While this is certain an issue, you want to locate any bigger issues and also nip them in the bud.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

Natty GregIn Theory (IT)Commented:
Do you have a safe sender list, so emails from senders you trust gets in and those you don't gets blocked.
A trusted third party spam filter will work

You can use PFblocker in PFsense to block ips and ips originating from those countries, that normally attack networks
Mark PlierDirector of ITAuthor Commented:
I'm really liking the idea of blocking by header as they are all coming from the same IP (the one hosted server)

How would I go about this in Exchange? We are hosted with Office 365
So you need to go to the mail rules within the Exchange Admin Center, create a new rule. When the window comes, up, click on More Options at the bottom.

Here's a screenshot showing message header related choices:
O365 Message Header Mail Rule
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I believe you'd add a connection filter for the IP address in question in the Exchange Administration pane.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.