Today at work I received an email saying there was a Phishing Email going around impersonating Microsoft and stating “Action Required: Unfamiliar login to you ID@company.com.
I don’t understand how phishing can still be an issue these days. In 2008, yes 10 years ago, I was involved with a company which owned valuable research and historical information. After a phishing scam, code was executed on a users machine that led to network access by an external actor and a large quantity of information was siphoned off. Although not privy to to specifics, I was able to glean that a state sponsored entity based in Asia was responsible.
The next day on discovery of the breach the companies IT team instigated the following:
A whitelist policy was implemented for websites (presumably implemented via a firewall rule set). A base ruleset of standard business use websites (eg google, company external site, bloomberg etc) was created. If ones wanted to browse a site not on the whitelist, it was simply a matter of sending an email to IT and they would check and add.
All links and http and www prefixed text were automatically stripped from emails company wide. Links sent by business partners could be requested from IT. (Admittedly these days one cant just remove text prefixed with ‘http(s)’ or ‘www.’ but there are tools you could use to identify text referring to a web address with high accuracy.)
All email attachments were removed from emails and detonated on an isolated dedicated machine, whereupon if they were non malicious a user could obtain the attachment from IT.
Sure there were a few complaints from people when these policies were first implemented, but employees learned to work with them.
While not a panacea, eliminating the ability for users to click on links in emails (and also open attachments) is such a no-brainer, I can’t understand how this issue can still be the cause of over 90% of data beaches.