Oklahoma municipalities and municipal partners are actively getting “hacked” within the past 24 hours. You might receive an email with a suspicious link.
An email, often purporting to be from someone you trust, will arrive in your inbox with the following:
Clicking on the “View Doc” image will take you to the following web page (don’t do it, but just for your own edification):
Trying to “login” to any of those links will simply give your username and password to a hacker. Don’t do it.
What’s insidious about these emails are the complete lack of other tells, like poor grammar, unrecognized from addresses, and other easy to identify phishing hints. In fact, these are clever. They often have the user’s recognizable email signature. The email address is legitimate and is often trusted. We’ve seen a variety of cities, towns, and municipal partners sending out the same or similar emails. And, what’s more, all of these are utilizing Microsoft Office 365. The sample image above doesn’t do it justice. These are designed to be sneaky and fool you. The hackers are clever this time. Don’t fall for it.
Every one of these is most likely coming from a hacked user account. Someone, somewhere, is logging into city email accounts with compromised usernames and passwords and sending from Microsoft, which of course will always show as legitimate, these phishing emails to trusted partners and colleagues across the State of Oklahoma. This is a clever, coordinated attack and is reminiscent of other, similar attacks in other States over the past couple of years.
In cybersecurity we talk about the cyber “kill-chain”, the tools we can use to stop the progression of these attacks. Part of this is user education, in other words, this loss bulletin right here. But there are other steps your city or town needs to take. Simply using Microsoft’s Office 365 solution is not enough. If you re-use your password across multiple sites (and let’s be honest, most people do since dozens or hundreds of passwords are hard to remember), you must turn on multi-factor authentication. Sometimes this is something you can do for your own account within Microsoft.
Multi-factor authentication is when a system sends you a 6-digit code or requires that you “authorize” your login from an app. You probably already use this for your bank, and maybe even Facebook or Twitter. If you can you should always turn on multi-factor authentication, as it is one of the easiest ways to stop someone from using your password.
Watch the following video on how to activate Multi-factor authentication for your account. If you’re confused on the link to use, visit:
Here’s a link (which includes a helpful video!) to send to your IT staff or consultant that will instruct them on how to turn it on for all Microsoft staff:
https://docs.microsoft.com/en-us/microsoft-365/business-video/turn-on-mfa?view=o365-worldwide