Re: Upgrade to Available email scam

[Ken Munro <Ken.Munro () MSVU CA>]

Hi.

Yes, we get a lot of these as well, and we use Office 365 ATP Anti-Phishing. I agree that ATP Anti-Phishing is really 
an anti-impersonation tool, or a spear phishing protection tool. It doesn’t help with more spam-like,  bulk phishing. 
It does help with payroll fraud, wire transfer fraud, and with the gift card scams. It’s worth using if you have it, 
IMHO.

The 50 protected persons limit is annoying, but you can get around this by creating more than one ATP Anti-Phishing 
policy. Each policy is limited to protecting 50 accounts. I have set up three policies, one for our executive-level 
management, one for our middle management, and one for our academic departmental chairs. These are mostly who are 
targeted as they are seen as having spending approval power by the fraudsters, I reckon.

There is the risk of false positives, like if someone really emails from their personal account to a work colleague, so 
we have it set to just send the suspected emails to the junk folder, as opposed to outright deleting them or putting 
them in quarantine.

In the Office 365 Security and Compliance Centre, there is a report called “Impersonations over the last 7 days” that I 
review to look for false positives. It reports on impersonated domains and email addresses.

Happy Friday.


________________________________________
Ken Munro
Security Compliance and Training Specialist
Information Technology and Services
Mount Saint Vincent University
166 Bedford Highway
Halifax, NS B3M 2J6
(902) 457-6150
ken.munro () msvu ca<mailto:ken.munro () msvu ca>

Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please 
immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it.

Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such 
information are phishing attempts and should be deleted.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Menne, Michael S
Sent: Thursday, May 21, 2020 5:52 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Upgrade to Available email scam


[ Email originated outside of MSVU, use extra caution. ]
We’ve been seeing the evolution of these as well. We have Office 365 ATP and APP (Anti-Phishing Protection).  The APP 
is really Anti-Impersonation and seems to kill a lot of these. The problem is that APP must be very resource intense. 
It has some very strict limitations (50 users per policy I think). It’s really geared towards protecting executives. We 
are a medium sized university (15K students, 2K staf/faculty). I would like to add all of our staff, but even adding 
all of our VPs/AVPs/Deans we approach that 50 limit ver quickly.  We’ve also had some higher level professional staff 
targeted as part of these campaigns.


Michael Menne, CISSP
Chief Information Security Officer
IT Solutions Information Security
Minnesota State University, Mankato
Phone:  (507) 389-5705
www.mnsu.edu/its/security<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mnsu.edu%2Fits%2Fsecurity&data=02%7C01%7Cmichael.menne%40mnsu.edu%7C00f2f1afdcf544ac511508d758826763%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637075189428878307&sdata=%2FUAwDG0vB%2BVztf92DOtb6gMc78WzZhdfsjAyBSKlbHU%3D&reserved=0>
minnstate.zoom.us/j/5073895705<https://minnstate.zoom.us/j/8364614046>

[signature_2008603909]

Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended 
recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or 
distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and 
destroy all copies of the original message.



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of "King, Ronald A." <raking () NSU EDU<mailto:raking () NSU EDU>>
Reply-To: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>>
Date: Thursday, May 21, 2020 at 1:46 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] Upgrade to Available email scam

Thanks. We have been seeing a lot of these from user.nsu.edu () gmail com<mailto:user.nsu.edu () gmail com>. Had some 
users respond but luckily didn’t buy the gift cards.

Ron

Ronald King
Director of OIT Security

Office of Information Technology
(757) 823-2916 (Office)
raking () nsu edu<mailto:raking () nsu edu>
www.nsu.edu<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.nsu.edu%2F&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840104068&sdata=hoSR1Tq1l2LjEKsCaaBpMPJFFHevYjGRTRuw4MlX7e8%3D&reserved=0>
@NSUCISO (Twitter)
[NSU_logo_horiz_tag_4c - Smaller]

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Curt Kappenman
Sent: Thursday, May 21, 2020 11:15 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] FYI: Upgrade to Available email scam

CAUTION:  This email originated from OUTSIDE of the organization. Do not click links or open attachments unless you 
recognize the sender and know the content is safe!
We started receiving this upgrade to the “Available?” email scam that we have all probably grown tired of.  We started 
receiving this variant yesterday in our system:

                Subject: <no subject>

Hi this is Dr. David Larson, This is my personal gmail. Text me only on here, I need you to do something's for me. Are 
you available ?
Dr. David Larson
Dean of the The South Carolina School of the Arts and Professor of Theatre

They will try anything to get users to respond.

Curt Kappenman
Security Compliance Officer
Anderson University
Anderson, SC

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840114068&sdata=tKvAmnMa5XAXkpP8iWfzi1EDX8qenOh6SCFtqnpyGqY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cmichael.menne%40MNSU.EDU%7C17dfa683eacf4209770b08d7fdb741c1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637256835840114068&sdata=tKvAmnMa5XAXkpP8iWfzi1EDX8qenOh6SCFtqnpyGqY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community