Consistent threads for compromised accounts

[Frank Barton <bartonf () HUSSON EDU>]

Good morning folks, we've been phished pretty heavily here at Husson, and
we've been able to determine a couple of red-flags. I'm not sure that I
want to publish those that we've found, but I'm wondering if anybody else
has seen similar threads.


   - We've seen some "test" messages that seem to get sent to specific
   accounts when the account is first compromised
   - send-as addresses are changed (often giving us a trail to follow back)
   - we've seen a trend in the phishing URLs that are included in the
   messages.

Thoughts?

Thank You
Frank

-- 
Frank Barton
ACMT
IT Systems Administrator
Husson University