Updated: Using the ‘Report Message’ add-in as phishing button in Outlook

Update to Add Phishing Button to Outlook: ‘Report Message’

A few years ago, I blogged about a way for enterprises to report phishing messages by adding an Outlook phishing button.  The message would forward to their IT or Security department quickly and easily without having to pay for a service.  Using that approach , with the click of a button employees can report phishing or suspicious emails and send the full message (with headers) to a mailbox monitored by your IT staff.   Here is a link to the article ‘Add a Report Phishing button in Outlook’.

Since then, Microsoft has made some changes to their junk reporting tools as the collective world is moving toward cloud services, specifically Office 365.  While I don’t have much of an opinion on email platforms, I have noticed that Microsoft’s spam and phishing filtering service has not kept up with the filtering that is happening with Gmail- this may be by design, or just part of Microsoft’s marketing strategy…who knows.   What I do know is that enterprise employees using Outlook and Office 365 have been struggling with Business Email Compromise (BEC), phishing, spam for years, and it’s not getting any better.

Visibility into how spam and phishing make it into our mailboxes is a critical need for any security program.  It increases awareness and allows defenders to rally and protect employees from insidious and crafty emails that occasionally make it to executive and VIP inboxes–the very places they can do the most damage. The world is a dangerous place when it comes to email and digital security.  Worst of all,  IT staff often has no idea about phishing campaign attack trends, and what the bad guys are up to.  Let’s change that.

What’s changed since the Outlook Phishing button?

The Outlook phishing button that I blogged about in a previous article uses Microsoft’s junk email reporting app. For years Microsoft has accepted reported junk emails and used the statistics to fine tune their filters (as long as end users and companies allow that information to leave their network).  While not serving the exact same purpose as the Junk Email Reporter, Microsoft’s ‘Report Message’ add-in is even easier to use and configure; for example, with a simple email rule in Office 365 you can send the full message, headers and all, directly to your IT or Information Security group, or a shared mailbox that is monitored by your enterprise defenders (makes the sound like heros doesn’t it).  It’s a little different spin on the ‘Phishing Button’ in Outlook, but can be configured to do essentially the same thing–serve as an early warning sign for your IT staff when used by security aware employees.  The Report Message add-in also has the added benefit of protecting you in Outlook Web too, something the simple Outlook Phish Button could never do.

Outlook Report Message

Outlook’s New Report Message Button

How to Report phishing messages to your IT department

The following instructions will work for Outlook and/or Outlook web users who use the Office 365 cloud service, personal or enterprise!

Here’s what you need to do:

1. Install the Report Message add-in from Microsoft’s AppSource

Here is a link for download.  https://appsource.microsoft.com/en-us/product/office/wa104381180

There are ways to push this out globally and I have more information below, but for now just download to your personal Outlook instance so you can test in your environment.  Once you go through all the steps defined here and determine it is working, roll it out to the rest of the company.

2. Create Online Exchange rule to blind-copy (Bcc) your internal phishing report mailbox.  

You must be an Exchange Online Administrator for your organization to complete this task.   If you are not, contact your IT department and show them this article, they will be impressed that you care enough to send them something that will help them, instead of just clicking the phishing email and going on with life… You will be the hero of the day!

  1. In the Exchange Admin Center, choose ‘mail flow > rules’
  2. Choose + > Create a new rule
  3. In the name box, type a descriptive name, such as ‘Phish report rule’, or as Microsoft suggests, ‘Submissions’…huh?   Anyway, you make the call….
  4. In the Apply this rule if list, choose ‘the recipient includes…’
  5. In the specify words or phrases screen, add ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ and choose ‘ok’

  6. In the ‘Do the following…’ list, choose Bcc the message to…

7. Add whoever you want to get the phishing messages in your organization then choose ‘OK’

  • It can be a person, email group or shared mailbox.  

8. Choose Audit this rule with severity level, and choose Medium

9. Under Choose a mode for this rule, choose Enforce.

10. Click ‘Save’

  (The configuration may take a few hours to sync across Office servers, have patience).

 3. Test your anti-phishing Report Message button!

Now, when you are ready to test, open a spam or phishing email and click the Report Message button!!  If it is working correctly, the email will be moved to your Junk E-mail folder, and a full copy of the entire email message, including headers will be sent to the mailbox of your you chose in step 7 above.  Woohoo!

 

What if I don’t want to send junk reports to Microsoft?

If you are the cynical  type and are suspicious of sending any information from your network, (including junk mail to Microsoft), just create a new Exchange Online rule that blocks any message sent to ‘junk@office365.microsoft.com’ and ‘phish@office365.microsoft.com’ from leaving your Exchange service.   If the rule is run after the bcc rule it should  still work to Bcc the mail to your internal staff.

Here’s a guide to create the rule that blocks reporting spam to Microsoft:

https://practical365.com/exchange-server/using-transport-rules-to-block-outbound-email-to-untrustworthy-domains/

I personally haven’t tried this, but seems like it should work.  If you have, let us know your results or post back if you find a better way.

 

Additional reading–Next Step toward hero status: Enterprise Install

Yep, sometimes Microsoft stuff works great, this is one of those times.  They make this super-easy,  the following instructions were copied from

https://docs.microsoft.com/en-us/office365/securitycompliance/enable-the-report-message-add-in

Get and enable the Report Message add-in for your organization

Important

You must be an Office 365 global administrator or an Exchange Online Administrator to complete this task. In addition, Exchange must be configured to use OAuth authentication To learn more, see Exchange requirements (Centralized Deployment of add-ins).

1 Go to the Services & add-ins page in the Microsoft 365 admin center.

Report Message enterprise install

2. Choose + Deploy Add-in.

report message

3. In the New Add-In screen, review the information, and then choose Next.

message reporter phishing button add-in

4. Select I want to add an Add-In from the Office Store, and then choose Next.

message reporter phish button add-in

5. Search for Report Message, and in the list of results, next to the Report Message Add-In, choose Add.

phish button enterprise install

6. On the Report Message screen, review the information, If it looks good, choose Next

phishing button enterprise install

7. Specify the user default settings for Outlook  Here you can decide whether you want your end users to have a mandatory install, or make it optional.  I personally like the Mandatory setting 🙂    Choose Next.

Phish button message reporter options

8. Specify user or group to get the Report Message Add-in, and then choose Save.

Report Message phish options

Now in Outlook your users will have an icon that looks like this:

Outlook Report Message 'phishing' button

In Outlook web, you should see something like this:

 

If you followed the directions carefully, you should now have a enterprise-wide tool to report phishing to your internal team.  You did it! now get on to reporting those bad emails!

Post a reply and let me know if it helped you and your organization, I’d love to hear any success stories!

 

Additional information:

Using the Report Message Add-in (Microsoft)

 

 

Download Windows Movie Maker–Essentials 2012

Windows Movie Maker was one of the easiest to use and most stable movie makers out there.  The last version was included in Windows Essentials 2012 and has been discontinued, and went out of support in Jan. 2017.  I’ve looked for alternatives in Windows Store and other places, and frankly all of the Windows 10 movie maker free or low cost software options SUCK.     As mentioned, Microsoft no longer supports the software and all links to download Windows Essentials 2012 have been discontinued.

After some search, I was able to find some ‘web installs’ of the program, only to be disappointed that the download catalogs online are discontinued too and the installs would fail.

Luckily,  I did find a version out on the inter-webs that is a full version and requires no downloading during the install.  It’s an ‘all-in-one’ download, just like they were when I was just a hatch-ling.

The risk of this software going completely ‘extinct’ is high,  so I uploaded the install file and you can download it below!  Works just fine in Windows 10 on my computer. At this point I have no intention of ‘evolving’ to a more modern movie maker, I like it just the way it is.  So I will continue to make low cost, cheesy graduation slideshows, wedding slideshows and other cretaceous creations.

Download the Windows Movie Maker software here!

 

At the time of this posting, I ran the file against virustotal.com and everything looked great.  Below is the SHA-256….you can never be too careful.

SHA-256 072424c82f942f2b43b68b9154e1f3e0c61b7ee39a08372048ed34e09bd2554a

 

 

Fake and Look-alike Domains used in Phishing

What’s a look-alike domain?

Hackers sometimes use look-alike domains to confuse victims.  Look-alike domains look very similar to common domains, but are actually completely different.  An example is lbm.com vs. ibm.com  –notice the ‘l’ instead of ‘i’. The strategy is rather simple; divert the end-user to the look-alike domain while waiting for them to enter their credentials- them steal them. Look-alike domains can be purchased cheap from many domain registrars and spun into production quickly, often by bad guys. 

Many phishing emails contain malicious links to look-alike domains.  They are so common that learning to recognize them should be a part of every security awareness program–but let’s get real for a minute; someone in the organization is going to get tricked and click something they shouldn’t.  So how do companies protect themselves when we all know ‘people click stuff‘? It’s one of the few hard-and-fast digital security facts you need come to grips with.

How to defend against look-alike domains (and people who click stuff)

  • Training 

    •  Don’t skimp here, over communicate the dangers, find a partner who can help with cloud based training, or even internal phishing campaigns to drive the point home.  Yes, training is good, but even 95% good is 5% bad, and the 5% bad is 100% bad — and that’s about the end of my math skills.  
  • Buy look-alike domains

    • You’re probably wondering, “How do I even know what to buy, how is that even possible?”  Simple–use the opensource tool called URLCrazy to find the domains that could potentially be used against you, and then purchase the domain names!  Problem solved.    Okay, okay….  Since security teams and IT both have a limited budget, we need another solution, and a free one would be awesome.   How ’bout we just find the domains in URLCrazy and block end-users from clicking on them?
  • Block look-alike domains

    • Fire up a copy of Kali LInux and run URLcrazy from the command line,  or for an online version, browse over to https://suip.biz/?act=urlcrazy and enter a domain name.  (That website has an online look-alike domain name generator using URLcrazy–very handy tool but use for good, not evil!)   You will get a long list of look-alike domains that someone could fraudulently use.   Here is an example of the first few from ‘nerdosaur.com’.
      URLcrazy results

      URLcrazy

      Just for kicks, run URLcrazy for microsoft.com or facebook.com and check out the data on the look-alike domains…..it’s somewhat terrifying but educational.

    • Take the output from URLcrazy and import the look-alike domains to your internal DNS server.  Redirect the IP addresses of each to 127.0.0.1.  If you want to get real fancy, point them to an internal web server where you have a landing page that offers security awareness training or points to this blog! They will be protected from browsing to the bad domains, they’ll love it and my hit counters will go way up!  What’s not to love?

So, now that you’ve saved your world from one more techno-peril, help me teach everyone to be paranoid.

don't click

 

 

 

 

Dynamic Lock Windows 10 using Bluetooth

Security haters beware–here’s a useful security feature you might just like–it’s call Dynamic Lock.  This new feature adds a touch of security to your desktop without all the fuss and hassle of having to remember to lock your screen when you walk away.   Gone are the days of co-workers turning your screen upside-down when you take a trip to the rest room, or commandeering your computer while you aren’t looking to send emails to the CEO just because they can…(grrr…jerks….but I digress…).

I recently became aware of a useful new security feature in Windows 10 called ‘Dynamic Lock’.   This feature automatically locks your computer when a chosen paired bluetooth device is no longer reachable.  Walk to the kitchen–COMPUTER LOCKED!  Go out for a vape-break–LOCKED!  Visit the neighboring cubicle–well…errr….not quite far enough, but if someone is gutsy enough to sit in my chair while I still  have visual…more power to ’em!

Here’s how to set it up starting with Windows 10 v. 15031  (to check what version of windows 10 you have, type ‘winver’ in the search and select run command).

  1.  Go to Settings
  2.  Go to Accounts
  3.  Click on ‘Sign on options’
  4. Under Dynamic Lock, check ‘Allow Windows to detect when you’re away and automatically lock the device’
  5. If you haven’t already, set up a bluetooth device that the computer can connect to such as your smartphone.
  6. Test it out by walking away, or turning off bluetooth on your smartphone.

Enjoy gloating in your new secure haven.  Well, on second thought…not quite…but every little security control helps.  It’s just one more layer of your defense in depth!

 and that’s today’s word… from the nerd….

Dissecting a successful phishing attack

After several years of successful defense against constant phishing attacks, a company I represent finally fell victim.  An email link was clicked, credentials stolen, account compromised and money originally we were owed fell into the wrong hands.   Too often I’ve read all about this type of scam thinking of ways we can avoid problems, but after it happened I was truly struck by the competency of the attacker(s) and their ability to think and act quickly.  One moment of weakness and a click on the part of one employee set the whole fiasco in motion.

The company was an indirect victim here, one of our accounts was used as a ‘vehicle’ for the scam.   The actual victim was a company that we do business with.   The attacker, after stealing the credentials of our employee, used them to log in to the cloud email account and began reading the emails.  (We use a cloud-based system for email access, let’s just say you’ve heard of them and probably use them too).   The attacker found a financial exchange about to take place and inserted themselves into the email conversation, impersonating our end-user.  Email rules were set up to redirect any messages from the victim to an unseen folder, instead of the inbox.  Our employee saw no communication at all from the victim.  Any sent messages from the attacker, or any email trail was quickly deleted by the attacker so we would not become suspicious.  So, in reality our employee was using email without a clue something was going on with another login to the account.

The attacker then emailed the victim (within a few hours of the initial phish) with a story that our wire address had changed because of some ‘suspicious activity’ or ‘bad checks’ on our bank account, and quickly gave them a new bank routing number and other pertinent info. There was a ‘slight’ change in the look of the email signature (Red Flag #1), but other than that it looked legit.   The new bank was in a middle-eastern country (Red Flag #2) where we do not do business (Red Flag #3).

The victim had trouble with the new banking info, and could not use it.  The attacker kept pushing and pushing (red flag #4) to have them try again.  Finally the victim replied via email (again intercepted by the bad guy).  They were getting suspicious at this point and the whole thing looked like it was going to come crashing down.  They asked if there was someone else in the finance department they could talk to about this bad banking information.  (Nice work! ask to talk to someone else at the company!)

With me so far?? This is where it get’s interesting.

The attacker had another tool in their arsenal aside from being shameless, deceitful and good at social engineering– a look-alike domain.   A look-alike domain is an internet domain that looks very similar to another domain. For example moor.com looks a lot like rnoor.com, but notice the ‘m’ is replaced by a ‘r and n’.   In this case the attacker registered the look-alike domain around the same time they started phishing–probably fully aware it could come in handy to impersonate another employee in our company.

Another fake email was sent from this look alike domain, spoofing an employee associated with our finance department giving full validation to the lies, and offering a different bank and routing number, this time a domestic bank.  Replies to the new spoofed address went to the look alike domain (Red Flag #5–check your reply-to addresses!), keeping everyone right where they wanted them, clueless.   This time the bank info was good, and money was wired.

Nearly a week had gone by when our employee was in his email and noticed a draft message go to their outbox, then disappear.   He became suspicious and called the help desk, who contacted security guy, who had them change passwords immediately.  That kicked out the bad buy, but was just the start of the incident response, cleanup, and post-mortem.  I immediately suspected a phishing attack because credentials are so easily stolen that way.

Getting the money back after the wire was improbable, as too much time had gone by before the victim became aware of the scam.  Authorities were contacted (IC3 and FBI).  My association with the InfraGard (www.infragard.org) was truly helpful in this situation, as that gives you instant recognition from the FBI, and direct access to a Special Agent who works these types of cases.   The report that I sent will be compared to others and maybe some of the information that I sent will help catch this thief.

Looking back, there were many ways this could have been prevented.  Doing all of your business through email, especially financial business is dangerous.  Always use the phone to verify financial info, never email.  Have a verification process and safe procedure for sending money via wire, this will help protect against phishing.  Watch for pushy and/or emotional emails demanding you hurry, try again or anything to drive your emotions up, because that is where your logic goes down.  Again, I know the technology is almost 150 years old, but it still works!  Pick up the phone and call!

Stop Clickers with Stickers! Security Awareness improvement for FREE!

Let’s see now, over the last several years working in IT Security and Security Awareness a few things have become crystal clear;

  1. Technologies are super easy to patch, you just need a process and a little buy-in.  After patching the risk is minimal.
  2. People can’t be patched, even though sometimes we really wish they could be.   After security awareness training the risk is still present, albeit hopefully minimized a degree.
  3. People need to be aware of security at all times, it has to become part of the business culture. Worrying about end users is what keeps me up at night–our business is one click away from losing brand reputation, money, private information or even (swallow hard) the IT Security guy’s job.  Generic security awareness is not good enough.

What if we security practitioners could keep security on the minds of employees all the time?  What if there was an easy way to keep people focused and thinking about the dangers of phishing emails, malicious websites and generally being more pro-security?   Sounds great right?  Where do I sign up?    Haha!  If it were only that easy!

Combining that need with some of the motivators I’ve experienced over the years gave me an idea;  What if the ‘free stuff’ phenomenon could actually drive down my phishing click rate?  Jeez…if it worked it would solve one of my main problems with security awareness, (the ‘awareness’ part for about 10% of end users)   and do it in a way that is positive all around!    Although in it’s infancy, I’ve been experimenting with this new method of ‘security through free stuff’.  Here’s how it works;

At security and IT conferences, I collect as much schwag (free promo materials) as I can, looking especially for the nice stuff (no offense to the pen-peddlers, but you guys really gotta up your game).  You know, Tshirts, cool laptop stickers, flashlights, rocketbooks, light sabers and other geeky stuff and gadgets.  Sign up for it all!  (then screen your calls for the next year…)  Then when I get back to the office, I give that stuff away like it were Aunt June’s fruitcake–but only after sneaking in a learning experience to unknowing end-users.   For example:

A recent email I sent to the IT group — ‘You can win this new cloud shaped stress ball, laptop sticker, pair of earbuds and a multi device charger if you answer the following question:   “According to Verizon’s 2017 Data Breach Executive Report ,  what percentage of breaches were caused by weak or stolen passwords?”‘

Have the target audience send you the answer and raffle the schwag, keep track of the names in a txt file, then paste them in and randomly select a winner on a random selector site like http://www.miniwebtool.com/random-name-picker/      In this case there are actually two answers, although they are very close to each other–probably a rounding error!   But for those who give two answers, you have to assume they read the article fairly closely.  winning…Winning…..

Another idea is to have people reply with one security issue they have noticed in their work environment, and have each offer a possible solution to mitigate it.   This could work great for an IT team, because we all know of one area or another where there is a hidden risk that others may not be aware of.  It also give the security guy information into the inner working of every IT employee, including the risks and potential threats in their environment.  Mmuuhhaahahah!  Now you are getting it, right?

The great thing about this is it’s fun, it’s free and it disarms those people who are already grumpy about security by giving them something of apparent value for FREE!  The psychology behind this is fascinating.  Check out Rick Paulas’s column entitled “The Strange Effects of Free Stuff; How the allure of free tricks your mind into accepting irrational options”   In that article he talks about the ‘Zero Price Effect’.

“When people are offered something for free, they have this extreme positive reaction that clouds their judgment.”

Haha!  Clouds their judgment!  Hey, if that helps someone to NOT CLICK something, I’m all for it!

 

Hey y’all…If you’ve made it this far, maybe you’ve got an idea or two to share!  Share your ideas and suggestions below!  Or if you would just like to send me some schwag and help the cause, contact me privately: nerd at nerdosaur.com!

 

Ubiquity nanostation loco m5 installation-FarmYardWiFI

Recently I had the opportunity to expand the wireless signal from a farm house to the entire yard and outbuildings using Ubiquity hardware. I had heard of the company, and saw many good reviews for the products. It seemed like Ubiquity was an enterprise level wireless solution, at a consumer price. After the install I was not disappointed.
The signal strength and coverage coming from the wireless AP’s and point to point links was more than I had expected.

Below is a aerial shot of the farm, and the methods I used to create the links. This solution would be great for any outdoor wireless needs. You could use it on a campus, lake home, backyard or for beaming wireless between buildings at the office. The devices are very easy to configure, and can be put in AP mode, repeater mode or station mode. If you are so inclined, you could create a mesh of several wireless devices and cover huge areas.

Map of farm yard wireless configuration

Link 1
From the house to the shed, I named the SSID ‘link1’ because I wanted to differentiate between wireless links to avoid confusion. On the house, we drilled a hole through the siding and into the crawl space, and ran an ethernet cable from the nanostation and into the network switch in the house. We mounted the nanostations with a couple mounting brackets (click for link to amazon)  , and mounting arms . This helped to make quick work of the wireless mounting, and the brackets help you to aim both sides of the point to point link very easily without having to adjust the entire arm.

On the shed side of link1, I used the included POE injector to power the radio, and installed a small linksys switch to the inside wall of the building. This gave me full network access to devices in the shed through the switch, and also allowed me to extend a network cable to the back of the shed to be plugged into the 2nd
nanostation that would be the access point for link2.

After a quick configuration using the built-in web on the devices,link 1 was up and running. To extend the wireless signal throughout the farm yard, a Ubuiquiti UniFI AP Outdoor 2×2 MIMO AP  was installed on a pole on the top of the shed. It was simply plugged into the linksys network switch using the included POE injector and mounted to the shed. Configuration is different for these devices, they require the included Ubiquity UniFI software to be installed on a computer somewhere in the network. The AP’s come up with a preconfigured IP address and you manually register them to the software. This helps to keep all the AP’s consistent as they all are centrally managed, and share the same SSID and security settings. The Outdoor MIMO and the nanostation loco m5 have survived some violent storms, rain, wind, and hail that destroyed nearby outbuildings, and they never need a reboot! They are very reliable.

Link 2

Link 2 went from the small shed at the end of link 1, to the large outbuilding in the photo.  We mounted the m5 on the far end of the building to avoid snow and ice falling from the slanted tin roof in the winter.  Inside the building we used another small switch.  From the switch we ran a Ubiquity access point to cover the inside of the building.  This building is double lines with tin and insulation, so we didn’t get any signal from the yard AP’s, unless you had the large doors open.  The single ap covers the inside very nicely, and since we used the same Ubiquity software to configure it, there is no need to have additional SSID’s.

Finally, we added another outdoor MIMO on the north end of the building for additional yard coverage.

You do need some technical ability to set up a system like this, but overall it was not a difficult project.  Just remember you are ‘bridging’ from your network and set everything up accordingly.  By not adding additional networks, you remove the complications of having multiple networks.

Here’s another similar project from modernfarmer.wordpress.com

 

Finding personally identifiable information (PII) with PowerShell.

Good network security involves defense-in-depth. This means that you should implement several different defenses to keep your network, platform or computer secure. The first part of a good defense is to keep the bad guys out of your network using a firewall, but in the event that they circumvent your firewall you need ‘plan B’.   Plan B in this example could be application whitelisting on your devices, strong passwords, anti-malware, anti-virus, PC firewalls, least privilege network design etc. Okay, that’s all great– but what if bad guys are able to circumvent ‘plan B’?

That’s when you need to know what is on your network that they might want. If you have a server with personnel files or credit card information, that will most likely be the first place many miscreants would attack. But did you know there could be a goldmine of private information on your PC’s and you don’t even know it? How much is the data on your PC worth? Brian Krebs has in interesting article called ‘The scrap Value of a Hacked PC’   The data on your PC may be worth more than you realize!
There are several tools out there that can find PII on your computer, but one easy and fast way is to run a powershell script. You can even use this script to find PII on other computers in your network. (Yes, if a bad guy gets in he could easily run this script against you and your network using the tools you currently have on your PCs).

Simply open Powershell and paste in the following scripts to check your computer for SSN’s. When the script is finished, it will write a CSV file with the results.

Find SSN on remote PC
Note: Your credentials must be allowed on the target PC, adjust the path to suit your needs. The UNC path syntax works for all of the examples below to hit remote targets.
Change computername from ‘mypc’, and username from ‘myusername’ to your target computer and username
Change the path to a local path to scan locally, for example c:\users\fred

REM+++++++++++++++++++ – Finds SSN with space or dash (-) between numbers on a remote PC++++++++++++++++++++
Get-ChildItem -Path “\\mypc\c$\users\myusername\desktop” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[0-9]{3}[-| ][0-9]{2}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\ssn_pii.csv”

Now that we’ve established we can look for ssn’s, let’s scan for files on your PC with the word ‘Password’ in them.

REM+++++++++++++++++++ – Finds ‘password’ in documents, and saves to csv file
Get-ChildItem -Path “c:\users\” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[P|p]assword” | Select-Object Path, Line, LineNumber | Export-Csv “c:\passwordPII.csv”

Now let’s scan for credit card numbers on your PC:

REM+++++++++++++++++++ – Finds any cc numbers in documents, and saves to csv file
Get-ChildItem -Path “c:\users” -Recurse -Force -Include *.doc, *.docx, *.xls, *.xlsx, *.txt, *.pdf, *.ppt, *.pptx | Select-String “[4|5|3|6][0-9]{3}[-| ][0-9]{4}[-| ][0-9]{4}[-| ][0-9]{4}” | Select-Object Path, Line, LineNumber | Export-Csv “c:\CC_PII.csv”

I’ve found that some of these scripts give false alarms as there are a lot of temp files with all sorts of numeric data in the, but the goal here is to find obvious breaches in your security at little to no cost. If you want a full detailed report and automatic scans, you probably should be looking at a fully supported software solution.

Now that you know how easy it is to find PII on your computers, clean them up and be careful where you use and keep your private data!

Add a Report Phishing Button in Outlook

Add a ‘report phishing’ button in Outlook; forward spam and phishing emails to your internal security team the right way!

  • NOTE:  This article has been updated with an additional easier option for building an enterprise-wide phishing button.  Check it out here.  

PhishMe offers a great solution for the enterprise with its anti-phishing training and phishing simulations.   The service also provides an easy way for end-users to report the messages to their IT department and use for statistical tracking.  Their solution for end-user reporting is an add-in in Outlook, providing a simple way for the end-user to click a button to report messages.   I wanted the same thing for my security program, but we didn’t contract with PhishMe,  so I needed another solution.   I didn’t want to enlist a developer to create an Outlook add-in button, so  I came up with a relatively easy solution.   If you are good at scripting or have some workstation management tools this should be no problem to implement across the enterprise.   Below are the steps you can use to reproduce a  ‘report phish’ button in Outlook that automatically sends your security or IT department a full copy of the phishing emails.   It also does much more that forwards the email, it sends the junk mail as an attachement in an email, preserving the message headers that will be needed for forensics.

 

  1. Install the Microsoft Junk Email reporter add-in for Outlook 2010 or 2013. The download can be retrieved at  https://www.microsoft.com/en-us/download/details.aspx?id=18275

 

  1. Open Outlook and verify you now see the junk options in the ribbon.

Outlook phish button

 

 

 

 

 

  1. phishing outlook button 3Right click a blank space in the ribbon and choose ‘Customize Ribbon’. On the right side, under “Customize the Ribbon” select Main Tabs, and expand the Home (Mail) tab.  Click the ‘New Group’ button and rename it to be something useful “report junk” or “report phish”.

 

4. Next, select the  ‘report junk’ button on the left side, and add it to the ‘report phish’ group you just created by clicking the ‘add>>’ button.    Rename it and give it an icon of your choice.  Now you should have a new icon in your main mailbox view that you can use to report junk.  By default, the add-in will only report the junk to Microsoft, however with a registry hack you can blind-copy  (bcc) an email address of your choice.  the full junk mail message will be sent as an attachment, with all the header information that is missing from a forwarded message.   This works great for sending to an IT department or a security operations center (SOC).

outlook phish 4

 

 

 

 

Your Outlook ribbon should now look similar to this:

outlook phish button toolbar

 

How to report phishing to your IT department across the enterprise.  If you want the junk email reporter to forward to your IT department, add the destination email address to the registry using the following registry key.  (Typical registry hack warning here, don’t do this if you don’t know what you are doing…)  You can also copy the following lines and create your own .reg file, I’ll leave that up to you.   Replace the email address in the code with the address that will get a copy of the message.

“Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Junk E-mail Reporting\Addins]”BccEmailAddress”=”phishy@yourdomainhere.com”

 

 

  1. (Optional) Open up an email in outlook.  Since Outlook uses a new ribbon for this view, you have the option of putting the new button in the mail-read view too.  Now repeat steps 3-6 to create a button in the mail-read view if you choose.

 

  1. Now that you have created the new buttons, test them to make sure they work using an email address of your choice.

 

  1. If you want to apply this to multiple computers across the enterprise, there are several ways you can do it. Use a script, SCCM or a workstation admin tool of your choice.  Make sure the following three requirements are met on your PC’s and you should be good to go:
    1. Verify that the junk email reporting add-in is installed.
    2. Copy the .reg key from step 7 to all computers, or manually edit the registry with the email address you want the junk email to be forwarded to.
    3. From your working, test computer, find the files called olkexplorer.officeUI and olkmailread.officeUI  in C:\Users\%username%\AppData\Local\Microsoft\Office\     These files contain the ribbon info that you just created.  You can copy them to the user’s profiles, overwriting the files that are currently there.   *note, this may delete previously created custom ribbons if they exist.   It may be a good idea to rename the old files first.
    4. Restart outlook

I’ve noticed that this does not work in 64bit Office installs, I assume this has something to do with the junk email reporting add-in.  These instructions will work with Windows 7 and office 2010, and 2013.    It takes a little effort to get this working enterprise-wide, but when combined with security training and phishing simulations it gives you some great information on how end-users react to phishing emails.  It also empowers the end-user.  They are now becoming part of the solution, instead of part of the problem.

I really like to hear from you!  Let me know if you try this, or if you have any other solutions to make life a little better while fighting spam and phish attacks!

If you want to better understand the adversary, Brian Krebs has a great book called Spam Nation.  I highly recommend a read through.  The book is available through Amazon and the affiliate link is below.

NOTE:  This article has been updated with an additional easier option for building an enterprise-wide phishing button.  Check it out here. 

 

How to Manage Spear Phishing Threats

For the last few years, the number of spam emails seems to have gone up drastically.  Along with this, the danger of the emails has increased significantly as well.  Now that most of the pharmaceutical emails are being blocked either in the cloud, or at the network perimeter, most of what is left is zero day viruses and malware or other heinous exploits that can wreak havoc in the network.  Often, this malware can steal passwords or other private information, or take your files for ransom and cost you hundreds of dollars, lost productivity and employee time.

This is one of the areas of network security we are constantly watching and trying to stay ahead of.

There are two basic types of spam email

  1. Spam: Unwanted and unsolicited email advertising for legit, or not-so-legit products.  Often including pharmaceuticals that should not be talked about in polite company.   Spam is literally ‘spammed’ to thousands of recipients, with the hope that a few make it through the spam filters and someone buys the product.
  2. Phishing: Phishing is sent in a similar fashion, but the end motive is much different.  Phishing emails are sent to trick the recipient to click on an embedded link or an attached file so that malware can be installed.   The malware can do anything from encrypt your files (ransomware), to exploit a weakness in an application on your computer, which can lead to the bad guys completely taking over your computer, or using it for illegal purposes.

 

Phishing can be broken down even further.

  1. Spear phishing: The bad guy does some reconnaissance and finds out some specifics about who works at company and what their job is.  Then specifically targets that individual with an email that looks legit, but has fraudulent intentions.  For example, a bad guy may find out you work in accounts payable and may send you a fraudulent mail asking for money to be wired to a new account.  This can be especially troubling if the bad guy has done some good research and knows your clients.  They can then spoof the domain of your client and send you a legit looking email.   It’s a good idea to keep as much information that can be used this way from the internet. (Specifically LinkedIn or Facebook).  Keep your information private, especially when it comes to business and partners.
  2. Whaling: Where would you go if you wanted to steal as much money as possible?  Well to the people who have access to the money, silly!  This is called whaling for obvious reasons, they go for the big fish—maybe your company’s CEO/CFO/CIO/President/VP.  If they don’t have good training in phishing and network security, your whole business is at risk.   I have personally seen many attempts at whaling and they look something like this:

CFO gets an email from the CEO asking if the wire to xxx company has gone through yet, they need it done now! CFO believes they missed the first email so obviously the CEO is angry because they are late in acting (or so the bad guys would have you believe).   The CFO, recognizing the email is from the CEO (a spoofed email) acts quickly and wires the money to the account in the previously attached PDF file.

Managing the fraudulent email threat

So how do you protect against this type of threat?  Well, most businesses are using some type of malware protection, spam filtering, anti-virus software.  That is a good first step, and is needed for a solid foundation in email and network security.   However it doesn’t protect you against the latest trend in malware which uses zero day exploits that traditional antivirus can’t detect.  Antivirus is signature-based, and there is time needed to create the signatures and get them to your PC.  Spam filtering is typically signature based as well.  Zero day exploits are called zero day because they come out quickly before any signatures can be written.    Bad guys are always looking for weaknesses in your protection, and you will always have weaknesses.  The best way to stop spam from infecting your PC or network is to train your employees about the threats of phishing, spam and unsolicited email.

Emailed malware or fraud attempts will not work 100% of the time when users don’t click the email link, or don’t respond to the suspicious request.  

100% is a pretty good number, and it can be achieved through non-technical means—training.

Fraudulent Email Security Training

A great way to train employees to not click is to send them simulated phishing messages.  Study some of the phishing email examples, and try to reproduce them.  Focus especially on those that are the greatest targets.   The focus here is not to humiliate your employees, but to let them know this is a significant problem and you are here to help.  It helps the company, but will also help the employees in their personal digital world when they leave the office.   There are some great partners in the cloud to help with this, and many offer free trials to check out their services. Here are a few:

 

Phishme.com   Excellent resources and education.  Easy to use and offers a nice Outlook add-in that employees can use to report the email to IT.  (This can be done for free using Microsoft’s junk email reporter, but I digress…look for more details  in a future post)

KnowBe4.com  Great service that includes Kevin Mitnick Security Awareness training videos.   The videos seem to be more ‘real world’ than the others I’ve seen.  They really explain the threat from an end-user perspective, and are very valuable in helping employee awareness.   The simulated phishing is 2nd to none, having many email templates so you can adjust your training based on your company’s  threat levels.

Phish5.com   One thing I can say about phish5 is that their price is right.  When I looked at them they were very affordable, and had many email templates that could be used.  The only issue I had with them was their inability to provide me with customer testimonials, they didn’t follow up when I asked.

Others   There are many others out there, and more coming all the time.  Post below any that I missed or you have experience with.

 

 

From the IT perspective

I’ve found a few home-grown solutions to help the IT department track phishing emails with the help of employees, but I will save that more technical discussion for another post.  The key here for IT is to know your enemy.  Do you know what emails are getting sent to your employees today?  Do you know how they currently respond to the emails?  Do they regard clicking on that spam as a serious problem, or are they relying on IT to fix it if something happens?   These are all good questions to ask, and I suggest you gather as much information as you can now, it will come in handy when you develop a training program.

There are several ways bad guys can get personal information, many include the traditional hacking, bad passwords, unknown or forgotten ingresses to the network (think wireless or VPN), unscrupulous vendors, and even disgruntled employees.   All can be major security issues for your organization.  Review and know your network, and train employees on the basics like phishing, password complexity and other things you take for granted working in IT.  Remember, network security is becoming everyone’s job, not just IT.   Spread the love!