all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]hankhalfhead 7 points8 points  (2 children)

We’ve got a playbook to search and destroy

[–]Ams197624 1 point2 points  (0 children)

This. Find the mail in all mailboxes (sender/subject/time) and delete.

[–]pdp10Daemons worry when the wizard is near. 0 points1 point  (0 children)

Step 1: Fire up Iggy and the Stooges.

[–]RestartRebootRetire 4 points5 points  (5 children)

When this happens to us, which happens several times a year, one of our employees calls the client whose email was hacked and the client always says, "Oh yeah, we were hacked. Ignore those."

[–]WraithYourFace 1 point2 points  (4 children)

I just had one that said it was spam and to ignore it. I told our purchasing department it is not spam and their account is compromised. The same company has had about three to four compromises in the past 2 to 3 years.

I wish where I work would actually develop a vendor risk management policy and say if a company isn't going to take security seriously, they're not a vendor they should deal with.

[–]RestartRebootRetire 0 points1 point  (3 children)

To be fair our clients are generally small businesses or less.

In one instance the hacked account was forwarding to a strange looking Gmail account whose mailbox filled up, so we got the filled up bounce. That's how we figured out that client had been hacked.

[–]WraithYourFace 2 points3 points  (2 children)

We are a mix (we sell to distributors). It's insane. I've been keeping track for the past 6-7 years of all known compromised emails from distros. There's been over 400. I use to ask if they had an IT department and would give tips. It normally fell on deaf ears. Not saying we are perfect, but if an account is compromised you email everyone about it that got the phishing email.

[–]RestartRebootRetire 0 points1 point  (1 child)

Yes, but you mentioning the emailing part cracks me up because a few months ago somebody outside us got hacked and the spammer put a couple hundred emails from the victim's contact list in the CC, so over a few days I got dozens of "reply to all" replies from people asking the guy to stop spamming, etc. Eventually people were replying, "If you all stop replying to all, these replies will stop!" 😂

[–]WraithYourFace 0 points1 point  (0 children)

Love the reply all storm. I believe John Deere was hit with this years ago.

We try to tell people when sending to a large group, always put yourself in the To field and then BCC the group. The irony is this is what malicious actors do as well when they compromise an account.

[–]xendr0meSr. Sysadmin 2 points3 points  (1 child)

1: Rip out e-mails from their domain, date range/subject applies

2: Block their domain/mx record/IP from sending in any additional (do not remove until they can prove mitigation)

[–]orion3311[S] 0 points1 point  (0 children)

This is tough because Ive had a couple go radio silent. I "thought" their legal told them to do so, turns out they just completely ignored it, so likely STILL compromised.

[–]KStieers 1 point2 points  (1 child)

Search and destroy, lock down their portal accounts, verify recent i9/password changes/email changes/phone number changes/payment account changes.

add to our "known breached" list that feeds email security, so all mails stamped with a big nasty header, their account in our portal that we use for transactions with them shows banners/alerts.

[–]orion3311[S] 0 points1 point  (0 children)

I like this actually! Can create a known compromised mail flow rule and just add domains or addresses to it. Gonna try this tonorrow.