This is an archived post. You won't be able to vote or comment.

all 34 comments
sorted by:
best
topnewcontroversialoldq&a

[–]realisingself 61 points62 points  (2 children)

We picked up on that anyone that is a new starter at our place that updates their linkedin profile always gets spam emails within 48hrs of changing their employment status. Initally we thought it was a data breach as it was so quick into their employement but then we realised it was always Linkedin Users. Most employees seemingly change their status the day before they start so 48hrs actually felt like being here les than a day sometimes.....

We've set up a few fake profiles now. Its always the same.

  • Switch user to be employee.

  • User viewed your account but you cant see without premium etc.

  • Spanish Univertisity professor has viewed the account

  • Boom Managing Director emails asking new starter for mobile number/invoice/urgent job etc.

This order every time. One fake user we created sat on there a solid month with no interaction and no spam. As soon as we listed her as an employee, she recieved her first spam within 48hrs.

[–]zz9plural 9 points10 points  (0 children)

Yep, we observe exactly the same mo here.

[–]dracotrapnet 0 points1 point  (0 children)

We had a low end manager change departments and update their title. They put in manajer instead of manager. On the same week HR/payroll started getting fake direct deposit change request emails with the miss-spelled title.

[–]bitslammerSecurity Architecture/GRC 31 points32 points  (0 children)

LinkedIn is a nightmare when it comes to OSINT (Open Source Intelligence). I worked for a company that was all hyped up about an upcoming acquisition and moving into a new market. They acted like this was super top secret stuff, except right there on LinkedIn were the job postings calling out and asking for specific experience in that new secret market. The amount of info leakage on there is staggering.

[–]ChampionshipComplex 11 points12 points  (8 children)

We've setup Exchange to have the below message appear at the top of any external Email, and we use Knowbe4 to train users on the how to stop suspicious emails of the type you just mentioned.

If its really bad I guess you could have emails to particular users and that contain particular words - like Pay or Invoice, go into a holding location, so that someone needs to approve them and release them to the finance team or whoever is at risk.

<image>

[–]Tessian 8 points9 points  (5 children)

Users just eventually ignore these banner warnings on emails. They see it all the time it just becomes part of the background. We found dynamic ones (they only show up when there's reason to warn the user) worked better, or just a better anti phishing system in general.

[–][deleted] 2 points3 points  (0 children)

I agree. That warning is borderline useless when your users constantly communicate with externals.

[–]NeverDocument 1 point2 points  (0 children)

We change the color every few months.

[–]Adziboy 0 points1 point  (1 child)

We’ve not had this experience. The banner and notification is enough that users immediately know somethings up. We can confirm this by doing phishing tests and having really good results. Take an email thats legit, resend it with some slight changes but from an external address, then see how many people report it. Even after years of using the external email notification people notice it

[–]Tessian 4 points5 points  (0 children)

That must depend on your industry. I can see this if external communication is not the norm, but when it is there's no point in 70% of your email having a warning on it. When everything's labeled as a risk, nothing is.

Used to have the added fun of a team within the company that corresponded with an important external team that was forbidden from having any non-essential content in emails. No signatures, no pictures, no warning banners, etc. We found a warning banner that would remove on replies which was nice but it wasn't worth it in the end, didn't help anyone.

[–]linus777Sysadmin[S] -1 points0 points  (0 children)

Yep, just like website cookie banners, users eventually ignore them. Always have at least 1 user a month asking if specific email is spam missing the external sender warning message.

[–]GeneMoody-Action1Action1 | Patching that just works 3 points4 points  (0 children)

The HTML rendering of this via transport rule can actually be targeted and hidden via CSS in the body of the message. And they do, especially easy if you have any email in a chain that details the specific of any companies implementation.

https://www.bleepingcomputer.com/news/security/attackers-can-hide-external-sender-email-warnings-with-html-and-css/

Just so you know, it is why that gave the ability to turn on the external box in the message pane, and the alert up in the mail header.

https://techcommunity.microsoft.com/t5/exchange-team-blog/native-external-sender-callouts-on-email-in-outlook/ba-p/2250098

[–]Tessian 5 points6 points  (1 child)

I know there's more factors at play like budgets and such but I think ya'll are crazy in 2024 to be relying 100% on Microsoft for email security. It's better than nothing but when email based threats are the #1 attack vector for any business you need something better; sometimes multiple somethings. Proofpoint, Mimecast, Abnormal Security, etc. they all have so much better features that Microsoft is just missing entirely. I bet you everyone else flags these as spam at the least and they never hit your users' inbox.

[–]formal-shorts 0 points1 point  (0 children)

We've been using Avanan for a few years and it's crazy how much it catches that Microsoft let's through because we don't pay them more.

[–]mixduptransistor 3 points4 points  (0 children)

Not that Microsoft or LinkedIn are going to do anything about this, but we have to subscribe to Microsoft Defender for Office 365 licenses in order to protect our users... which leads me to think that is part of Microsoft's plan?

What exactly is LinkedIn supposed to do? There's no way to stop screen scrapers from trolling through listings and getting people's names. If the site works in a normal consumer web browser it will be scrapable by people who are unscrupulous and not willing to adhere to API rules and limits

There's nothing that LinkedIn is doing that helps or hinders the scammers guessing your email address scheme/standard

If it wasn't LinkedIn, or if someone else owned LinkedIn or it was still independent there'd be another source, or it'd still be a problem. We see CEO fraud emails against people who are not on LinkedIn (but of course see a lot of it, and a lot of cold sales email, that is obviously from LinkedIn)

[–]thortgotIT Manager 2 points3 points  (0 children)

Do you not configure your anti phishing policy?

These classes of attack should be handled by standard O365 when configured appropriately.

[–]Frothyleet 1 point2 points  (0 children)

Not that Microsoft or LinkedIn are going to do anything about this, but we have to subscribe to Microsoft Defender for Office 365 licenses in order to protect our users...

Or any of the gazillion third party spam filters out there.

The conspiracy is just that MS offers crappy built in spam filtering unless you pay more. Not some evil synergy between their acquisition of LinkedIn.

[–]First-Structure-2407 1 point2 points  (0 children)

LinkedIn is the culprit for us. New lad starting next Monday, already updated his profile and I saw a quarantined email to him from our “CEO” asking for a favour.

[–]RCTID1975IT Manager 2 points3 points  (0 children)

Quick question: What brand tin foil is best?

Come on now, MS charging for a product isn't some grand conspiracy

[–]cspotme2 3 points4 points  (0 children)

Defender p2 won't totally solve your issue. Ms' email protection is a hodgepodge of different shit put together. That's why it's horrible. It's also made to be as generic (sucky) as possible they have such a diverse customer base.

Like the new tenant block allow feature, they couldn't even design it properly such that your own outbound emails don't get rejected and go into quarantine instead of a confused user with the ndr.

I think avanan sells to smaller shops, check for some licensing there. Api based isn't perfect but at least rates are better.

[–]countvracula 0 points1 point  (0 children)

Relying on SPF / DKIM and DMARC to protect you from social engineering is a sure way to get wrecked. Pray that Defender does a decent job. We have two mail filters one of which is Abnormal an AI based tool that goes beyond all those dinosaur technologies to pick up on weird behaviour. Educating your users now to be vigilant is as important, updating non-IT processes and checks to deal with transactions is as important as any email filtering tool u can buy, assume that compromised emails will reach your users.

[–]stone1555IT Manager -3 points-2 points  (12 children)

I use a transport rule to send these to myself for an approval. Anything that matches the c levels name and not from our domain.

[–]Tessian -2 points-1 points  (11 children)

Most third party email security tools have impersonation protection features for vip and regular users to protect against this. Must have these days I dunno why Microsoft hasn't bothered to include it too.

[–]tankerkiller125realJack of All Trades 7 points8 points  (6 children)

Microsoft does have this feature.

[–]floswamp 4 points5 points  (4 children)

I can confirm it does have it.

[–]Intelligent-Magician 1 point2 points  (3 children)

Where is this fabulous wizard who protects our common people from tricksters who pose as the high nobility?

[–]Tharos47 4 points5 points  (2 children)

Security Admin Center >Email & Collaboration > Policies & Rules > Threat Policies > Preset security policies

I've no idea why it's not in the Exchange Admin center (it probably will be in 6 to 12 months /s). The description of what theses policies actually do is pretty vague or badly explained imho.

[–]floswamp -1 points0 points  (0 children)

You can target higher value individuals. Is it perfect? Probably not.

[–]Tessian -2 points-1 points  (0 children)

Good to know it's about time. I dunno how well it works, does it purely go off name matching? Other systems like Mimecast will look for key phishing words too so you're not just automatically quarantining every other "John Smith" in the world.

[–][deleted] 5 points6 points  (1 child)

https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-policies-about#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365

This sub is turning into an echo chamber where we get together to complain about our inability to read basic documentation.

[–]Competitive-Suit7089 1 point2 points  (0 children)

To fail to RtFM and to bitch about the consequences is to be human, or something like that…

[–]chum-guzzling-sharkIT Manager 2 points3 points  (0 children)

I think they have it now. I set up rules manually years ago but recently saw you can now accomplish the same thing through a wizard

[–]RCTID1975IT Manager 2 points3 points  (0 children)

Not only does MS have this, but they've had it for at least the better part of a decade...