What is Our Process for Stopping a Phishing Attack?

Phishing Attack Cybersecurity Grand Rapids IT

What is Our Process for Stopping a Phishing Attack?

If not properly detected and addressed, phishing attacks can cost organizations thousands if not millions of dollars in damages.

Unfortunately, not only has the number of phishing attacks continued to grow, but their tactics continue to evolve, making it harder and harder to determine if emails are legitimate. One report found a 1,265% increase in phishing emails and a 967% increase in credential phishing emails from Q4 2022 to Q3 2023.

Gone are the days of the Nigerian prince asking for help, granting a hefty sum of money in return for your good deed. Today’s phishing attacks are much more convincing and personable to trick you into revealing private or financial information or, even worse, granting access to the bad guys.

Phishing Attack Background

Late in 2023, while we still were onboarding a client to be their managed service provider, the organization experienced a phishing incident in which it received what appeared to be a real email from one of the vendors it corresponded with regularly. The email linked to a bidding document hosted on Canva, a legitimate online graphic design application.

Unlike many phishing attacks, which initially direct you to malicious sites with odd domains, this one directed the user to a safe link that security software did not detect as harmful, nor were users able to tell if it was malicious simply by previewing the link before clicking it.

Once on Canva, there was another link to access the bid document, which took the user to a malicious Microsoft 365 login page that appeared real. The user entered their credentials, and the attacker was able to steal those credentials and log in to the user’s Microsoft 365 account, which included Outlook.

“It was like a punch to the gut,” a company representative said of the attack.

Even if the user had multifactor authentication enabled, this type of attack still would work, as logging in also hands over the user’s MFA code to the bad guys.

Once the attacker logged in to the user’s email, they were able to create an inbox rule where any email from the real contractor would be marked as read and moved to a different folder, so the contractor couldn’t warn any victims of the phishing attack.

Steps for Combating Phishing Attack

Step 1: Within minutes of the rule creation, our managed security service noticed the rule, flagged it as malicious, removed it and immediately locked down the user’s account so anybody who did have access was logged out.

Step 2: We then reached out to the client to inform them of the locked account and walked them through what will happen. This is an in-depth inspection of the user’s account that includes ensuring more rules weren’t created and scanning the user’s inbox to ensure there weren’t any other malicious emails.

Step 3: Once the inbox was scanned, we enabled multifactor authentication and reset the password to ensure the attacker could not access the account. After that, we monitored the account to ensure there was no more suspicious activity. To prevent this from happening again, we set up stricter conditional access policies, such as blocking logins from outside the country.

As far as protecting yourself and your organization from phishing attacks: There are specific things to look out for, including spelling errors, urgency and links that redirect to odd domains.

After the Phishing Attack

Luckily, our team found no signs of compromised information.

The attacker was able to gain access to the user’s email, created a rule and most likely was going to continue the attack by sending more emails pretending to be the user.

However, the rule was removed quickly, and the account was locked down to prevent further damage.

The user was able to safely access their account by the end of the day.

“It was great, (HT) shut it down, cleaned it out, and then I felt confident when they said I was good to go,” the representative said.

How Can You Protect Your Company?

There are things you can do proactively to improve your security measures. They include:

  • Finding your Microsoft secure score: This score, shown as a percentage, indicates how aligned you are with Microsoft’s security recommendations for your Microsoft cloud tenant.
  • Making sure you have detection and response: It shortens the dwelling time of an attacker who successfully gets access to one of your accounts. It’s like a fire alarm — the faster you respond the less that gets burned.
  • Providing ongoing security awareness training to employees: Training is meant to remind employees to stay vigilant, as well as update employees on trends and new tactics.

As far as protecting yourself and your organization from phishing attacks: There are specific things to look out for, including spelling errors, urgency and links that redirect to odd domains.

Be wary of emails from Microsoft that ask you to log in to your account. Microsoft will never send you emails telling you to change your password or log in to enable a new security tool.

One HT expert suggested paying close attention to the tone of an email. Especially if it is someone you interact with regularly, like a vendor, if you notice the tone is more professional or more casual than it normally is, it could be a sign of a phishing attack.

Another piece of advice is to never forward a suspicious-looking email, even to your managed service provider or IT employees. Forwarding an email only creates more opportunities for the attack to be successful. Reporting an email as phishing is the best course of action, but if you are unsure, deleting an email is better than forwarding it.

After the incident, the company representative said its leaders stressed to its employees to never forward a suspicious-looking email.


Phishing attacks like these are another reminder of why phishing training should be taken seriously. Training is not a one-time thing. Phishing attacks are constantly evolving, and it’s important to keep up to date on the tactics being used to trick you.

“Just one wrong click, and it could erase everything,” the representative said. “They could have wreaked a lot of havoc.”

West Michigan-based Managed Service Provider

Looking to protect your company from cybersecurity threats? Contact us here to learn how we can help secure your sensitive data.

Share this post