Recently, the Texas District received very sophisticated malicious email messages from employees of organizations we normally work with, one of which was from an employee of a major university.
These messages differ from typical phishing attempts and other malicious emails in that the attackers have compromised the accounts of these employees and are sending the messages from their legitimate accounts. They also offer file shares on Microsoft SharePoint, OneDrive, and other legitimate services that belong to the appropriate organization. They are not impersonating the sender with a free email account but are actually using the victim’s work account. (E.g. The malicious files were hosted at a university[dot]edu file sharing service, not some strange server in Asia or Eastern Europe.)
Microsoft is the hosting provider for the majority of the attacks we have seen, and we learned from the IT staff for one of these compromised accounts that the user had not been utilizing 2FA (Two-Factor Authentication).
Microsoft is making a big push right now to force all users to utilize and update 2FA for their accounts, and that does not seem coincidental. (If you have not turned on 2FA for all of your important accounts, we urge you to do so.) That said, Microsoft accounts, as well as those of many other providers, will remain vulnerable until these new enforcement actions are complete, which will probably take at least another six months.
If you receive an email with a shared file, even if you are 100% sure it is someone you trust, the only way to verify the file is safe is to contact the sender by OOB (Out Of Band) communication to verify they actually sent the message to you. That is to say, if you receive a shared file message by email, you should call or speak to the sender in person to verify the message is safe before opening it. (Do not trust phone numbers provided by email for this OOB step.)
One additional tactic to be aware of: attackers will sometimes send malicious shared files with names meant to peak curiosity and prevent people from using OOB verification or checking with their IT security team, file names like “Staff salaries.xls” or “Collection of dirty pictures.doc” or “Our secret.zip.” Please do not fall for it! Nobody will accidentally send you such files by file share, and the contents will be malicious.
If we find a malicious email sent from your organization, we will contact your office to make sure you are aware of the security issue. So that we at the Texas District can better protect our systems and your information, we need your most up-to-date contact details to be able to confirm the legitimacy of incoming communication. Please inform us of changes by filling out this form: https://txlcms.org/update/.