Malicious email spreading

Nick Perks
Nick Perks used Ask the Experts™
A malicious email has been sent out to all contacts from one of our users Outlook that contained a nefarious and potentially damaging link. we requested all staff to remove it from your inbox. We are on Office365 for exchange. This email was sent with subject line:  "Please Docusign: Review Documents"  the message contained a box that said Diane sent you a document to review and sign with Review Document button. Which takes to http:// fishy looking hyperlink.

Many users have now clicked this link already in the email today and I am not sure what outcome we will be dealing with in next couple of days.

What best possible steps to be taken in this scenario ?  So far I have done the following:

1. Isolated this machine and running various scans.
2. Ran the O365 Powershell command to remove this message from all user mailbox
3. Made sure all our backups are secure and running
4. Ran virus scans on all our servers
5. I am currently tracing the IP address from the header of this original email and blocking it through our external email spam filtering company.

What else can we possibly do to avoid wide spread of these emails in next few days ?

The user said he click on this email about "4 days ago" and all of a sudden emails came out of his outlook to all company contacts GAL TODAY. This could mean all the users about ( 30 of them ) that clicked on this email today may have their computers infected as well and could possibly send an email in next few days to all their contacts.

While trying to scan the users computer from which this email was originally sent to all employee, ESET and some other scans could not find any virus or spywares.

This is quite scary and would like some experts thoughts and suggestions.

Thank you in advance.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Quickly identify all the users that have received. Check at the Exchange admin backend.

Need to trace what is the malware infected on that machine. You probably had to really infect it and analyse if AV with Latest update and signature can detect.

Sinkhole the call back or all traffic to the URL. make the change in DNS server to answer to all client a sinkhole ip that you owned internally.

Isolate those client machine having that callback or AV alert. Refurnish and issue a cleaned or new machine if possible to reduce disruption.

Ask the user to change password just to make sure but if the attempt to callback is blocked, then no real immediate need. Avoid use of thumbdrives. Check your critical systems like AD, DHCP and file server to see any anomalies like new account or changes..being tampered..

Issue wide advisory  to all users to watch out for this phishing email (highlight red flags) and remind not to click URL or open atttachment in the email. but if done so, report immediately to helpdesk or a direct number of the ops centre. Be prepare for comms plan to alert senior mgmt and public too if necessary.

Review your Exchange security to use SPF and DKIM. This will allievate most ofvthe spoofing emails. Have log send over to Ops centre for monitoring amd alerting
had been through similar phish attach, there is no full proof mechanism to stop it, the best is to educate the users to identify the phish.

this is what we did.

blocked the URL at the firewall, blocked spammer source, changed users password gave him a new machine, removed that email from all the mailboxes.

stopped the mailbox access externally.

started doing a monthly Phish awareness practice, where we will be sending a phish alike email, where when clicked the link would redirect to a phish awareness training.
Jackie Man IT Manager
Top Expert 2010

The above links discussed about the crisis you are handling now.

Essentially, btan has told you everything you need for rectification.

Human is the weakest link in security and no security measures can stop phishing emails and you might need a better security solutions which can help the IT admin to trace the source of infection with ongoing prompt for user awareness of any security incidents around the globe.
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1
Check this post I just made out.
Does not matter if a company is in Office 365 ETC, if you are serious about your IT security you need Mimecast.

Bit Defender is supposedly better.

I would choose Kaspersky Internet Security version especially with the russian links they supposedly have, or Eset AV.
Most importantly you should remember AV is a reactionary product, made and invented from somebodies actions. It is never really going to be that affective.

I put more faith in a solid spam system like Mimecast than AV, if I had to choose between what to spend my money on I would buy Mimecast and use Free AV.

I put malwarebytes pro on my old CEO's laptop as he is a public figure and I do not trust these AV products, I have seen all backdoored by something over the years. Malwarebytes pro uses better anti exploit tools which is where most risks come from.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial