Click on known phishing Link [RULE-1157]
Attic employs two detection rules to identify when a user clicks a link to a malicious website and when the user visits that link. These detections are crucial as they signal potential exposure to phishing attacks and help pinpoint targeted users.
Rationale
Clicking on phishing links is a strong indicator of cybercriminal activity and potential exposure to adversary-in-the-middle (AiTM) attacks. Users may be redirected to fake login pages designed to steal credentials and session tokens, often associated with credential harvesting campaigns, representing a critical security incident.
Fix
An automated fix is available through Attic.
Manual steps:
- Review the click details in the ticket.
- Immediately contact the user to understand the context.
- Check whether the user entered credentials on the malicious site.
- If credentials were entered, immediately reset the user’s password and revoke all sessions.
- Check for other suspicious activity by the same user.
- Review the user’s recent email activity for signs of phishing attempts.
- Consider implementing additional security measures for the affected account.
- Provide the user with security awareness training.
Impact
The fix will prevent further compromise by immediately addressing the security incident and implementing additional security measures if necessary. It will also increase the user's security awareness to prevent future incidents.