Summary
Email is probably
the main route through which student and staff accounts are currently
compromised, as a result of successful social engineering during
phishing campaigns - both generic and targeted. Users receive convincing
messages which encourage them to visit a website and enter their credentials,
which are then captured and used by an attacker to carry out further malicious
activities.
Malicious files sent as attachments to emails can
result in malware being downloaded and executed on University systems. Once the
initial malware has gained a foothold, it can be used to deliver additional
malware, including highly disruptive malware such as ransomware.
Without
email forwarding restrictions in place, University data can be transmitted to
uncontrolled locations such as personal email accounts, or attacker-controlled
mailboxes.
What Are The Benefits?
The University should expect
to see a reduction in the number of “Account Compromise” and
will improved the email security and an associated reduction in the
number of email-based security incidents.
We
will also be looking into the benefits offered by Office 365 Advanced Threat
Protection and also third-party cloud based email security products that integrate
with Office 365, including a trial of Cisco Cloud Mailbox Defence.
What Changes Will Be Made?
We will review and consider the best practice
guides for email security from Microsoft, the National Cyber Security Centre
and also any adjustment of the currently available security controls within
Exchange online and Office 365.
We will review and adjustment of the Outlook Address Book and the
Outlook Report Message Add-In and also look at the external message
banner.
Review and adjustment of the mass message quarantine/deletion process to
enable the Security Team to take action on confirmed malicious emails or
indicators of compromise, ideally through integration with existing security.
Information Services will provide end user guidance relating to email security, including how to detect, repsond and report a suspected attack.
Visit the External Automatic Forwards page