Detect Successful Phishing Attacks

 

Why Trying to Only Prevent Phishing Attacks Is Not Enough for Organizations?

Every IT Security professional is well aware that phishing is one of the most successful attack vectors utilized by threat actors. Even though it's one of the oldest attack techniques, it's still heavily used in the wild. Simply, because it works. Phishing campaigns can be very effective as it builds on the premise that people can be tricked with the right timing and messaging. No matter how many hours are spent educating employees and how vigilant they are, phishing attacks can always find a way to lure people into clicking somewhere where they shouldn't or giving away their corporate credentials.

This is why many IT Security products out there have some kind of anti-phishing functionality built in. There are even dedicated products to try to prevent the delivery of phishing campaigns. However, there is one thing common among these solutions: they all try to prevent phishing in the first place. But what happens when they fail to prevent it? Perhaps, the phishing campaign was so sophisticated (such as in the case of spear phishing), or the product was not properly updated. If those lines were not strong enough to prevent the delivery of the phishing attempt we are at the mercy of how vigilant the employees are.

Shadow IT Discovery to Detect Successful Phishing Attacks

Scirge can detect any web form submission (such as logins, registrations, or any other credential submission) using centrally-managed policies. A typical policy is to monitor the usage of all corporate-related email domains. And it turns out, that this is a fairly good way to detect successful phishing attacks. Imagine the scenario where a user receives a phishing email that somehow got through the spam filter (which is quite common simply due to the sheer number of tries or sophistication). The user clicks on the link in the phishing email and lands on a perfectly created – and seemingly legit – website, where the corporate credentials are asked to continue to "receive" the promised document in the phishing email. When the user submits the corporate credentials Scirge Endpoint Browser Extension will catch this event and report it back to the Central Server – the same way as it'd do with any legitimate third-party cloud app or web service. On the dashboard of the Central Server, this will be shown in the inventory as a new account and app, which can help to identify these successful attacks. To make it even better, Scirge also collects metadata and threat intelligence regarding any discovered web application automatically, including blacklist checks, domain age, etc. Domain age in this very specific case is extremely useful, as most of the time phishing campaigns are short-lived and use freshly registered domains (as eventually reputation-based blacklist databases will catch up). Scirge will show this as an indicator, and can even use for workflow automation. It's very easy to create a workflow (in fact we even have a built-in one for this use case) where a corporate credential submission is detected on a new app with a freshly registered domain to trigger certain actions, such as sending an email to the IT security department, sending Syslog to SIEM or SOC, or triggering custom third-party API calls. And, with the password reuse detection capabilities, Scirge can also show if the submitted credential was the user's AD/LDAP password. This is very powerful when it comes to securing AD accounts. The icing on the cake is that these workflows can also be used to educate the employees and raise awareness as custom email messages can also be sent to the given person in almost real time – for instance, to notify and educate them about that phishing attack and to ask them to change their password.

Read our related blog posts: