Visits to Phishing Sites [RULE-1158]
Attic uses detection rules to identify when a user visits a known malicious website. This alert is triggered when the user has actually visited the website.
Rationale
Visiting phishing sites is a strong indicator of cybercriminal activity and potential exposure to adversary-in-the-middle (AiTM) attacks. It often represents a critical security incident that requires immediate investigation to prevent further compromise.
Fix
An automated fix is available through Attic.
Manual steps:
- Review the click details in the ticket.
- Immediately contact the user to understand the context.
- Check whether the user entered credentials on the malicious site.
- If credentials were entered, immediately reset the user’s password and revoke all sessions.
- Check for other suspicious activity by the same user.
- Review the user’s recent email activity for signs of phishing attempts.
- Consider implementing additional security measures for the affected account.
- Provide the user with security awareness training.
Impact
The user's account security is restored and potential phishing attacks are mitigated.