Educause Security Discussion mailing list archives
Re: Upgrade to Available email scam
From: Ken Munro <Ken.Munro () MSVU CA>
Date: Fri, 22 May 2020 12:07:24 +0000
Hi. Yes, we get a lot of these as well, and we use Office 365 ATP Anti-Phishing. I agree that ATP Anti-Phishing is really an anti-impersonation tool, or a spear phishing protection tool. It doesn’t help with more spam-like, bulk phishing. It does help with payroll fraud, wire transfer fraud, and with the gift card scams. It’s worth using if you have it, IMHO. The 50 protected persons limit is annoying, but you can get around this by creating more than one ATP Anti-Phishing policy. Each policy is limited to protecting 50 accounts. I have set up three policies, one for our executive-level management, one for our middle management, and one for our academic departmental chairs. These are mostly who are targeted as they are seen as having spending approval power by the fraudsters, I reckon. There is the risk of false positives, like if someone really emails from their personal account to a work colleague, so we have it set to just send the suspected emails to the junk folder, as opposed to outright deleting them or putting them in quarantine. In the Office 365 Security and Compliance Centre, there is a report called “Impersonations over the last 7 days” that I review to look for false positives. It reports on impersonated domains and email addresses. Happy Friday. ________________________________________ Ken Munro Security Compliance and Training Specialist Information Technology and Services Mount Saint Vincent University 166 Bedford Highway Halifax, NS B3M 2J6 (902) 457-6150 ken.munro () msvu ca<mailto:ken.munro () msvu ca> Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it. Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such information are phishing attempts and should be deleted. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S Sent: Thursday, May 21, 2020 5:52 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Upgrade to Available email scam [ Email originated outside of MSVU, use extra caution. ] We’ve been seeing the evolution of these as well. We have Office 365 ATP and APP (Anti-Phishing Protection). The APP is really Anti-Impersonation and seems to kill a lot of these. The problem is that APP must be very resource intense. It has some very strict limitations (50 users per policy I think). It’s really geared towards protecting executives. We are a medium sized university (15K students, 2K staf/faculty). I would like to add all of our staff, but even adding all of our VPs/AVPs/Deans we approach that 50 limit ver quickly. We’ve also had some higher level professional staff targeted as part of these campaigns. Michael Menne, CISSP Chief Information Security Officer IT Solutions Information Security Minnesota State University, Mankato Phone: (507) 389-5705 www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7C00f2f1afdcf544ac511508d758826763%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637075189428878307&sdata=%2FUAwDG0vB%2BVztf92DOtb6gMc78WzZhdfsjAyBSKlbHU%3D&reserved=0> minnstate.zoom.us/j/5073895705<https://minnstate.zoom.us/j/8364614046> [signature_2008603909] Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of "King, Ronald A." <raking () NSU EDU<mailto:raking () NSU EDU>> Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Date: Thursday, May 21, 2020 at 1:46 PM To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> Subject: Re: [SECURITY] Upgrade to Available email scam Thanks. We have been seeing a lot of these from user.nsu.edu () gmail com<mailto:user.nsu.edu () gmail com>. Had some users respond but luckily didn’t buy the gift cards. Ron Ronald King Director of OIT Security Office of Information Technology (757) 823-2916 (Office) raking () nsu edu<mailto:raking () nsu edu> www.nsu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840104068&sdata=hoSR1Tq1l2LjEKsCaaBpMPJFFHevYjGRTRuw4MlX7e8%3D&reserved=0> @NSUCISO (Twitter) [NSU_logo_horiz_tag_4c - Smaller] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Curt Kappenman Sent: Thursday, May 21, 2020 11:15 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] FYI: Upgrade to Available email scam CAUTION: This email originated from OUTSIDE of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe! We started receiving this upgrade to the “Available?” email scam that we have all probably grown tired of. We started receiving this variant yesterday in our system: Subject: <no subject> Hi this is Dr. David Larson, This is my personal gmail. Text me only on here, I need you to do something's for me. Are you available ? Dr. David Larson Dean of the The South Carolina School of the Arts and Professor of Theatre They will try anything to get users to respond. Curt Kappenman Security Compliance Officer Anderson University Anderson, SC ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840114068&sdata=tKvAmnMa5XAXkpP8iWfzi1EDX8qenOh6SCFtqnpyGqY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840114068&sdata=tKvAmnMa5XAXkpP8iWfzi1EDX8qenOh6SCFtqnpyGqY%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Re: Upgrade to Available email scam Menne, Michael S (May 21)
- Re: Upgrade to Available email scam Ken Munro (May 22)