Responding to a Helpdesk request about a Malicious email.
Determine if the phishing email is from a Phriendly Phishing campaign organised by our team.
- Acess the Phriendly Phishing dasboard at https://launch.phriendlyphishing.com/company_admin/sign_in.
- Click on the sent tile.
- Type the username of the user who's raised the support ticket into the search field. Look at the subject field to determine if the email the user reported as malicious is from Phriendly Phishing.
- If the email is from Phriendly Phishing, reply using the Phishing Reply canned response and close the ticket when ready.
Blocking contact to and from this malicious email address
- In the event that the email the user received was malicious, block the senders' email by navigating to the Tenant Allow/Block list at https://security.microsoft.com.
- Select 'Block' and block the email for 30 days. In the optional note section, please enter the URL of the helpdesk ticket.
Contact other staff who may have received this email
- Determine if other staff received this malicious email by performing a message trace in the exchange admin centre. If you do not have access to the exchange message centre, you may need to elevate your access in the Privileged Identity Management menu in the Entra admin centre. Please contact another IT team member if you're unsure how to proceed.
- Contact all staff who received this email and determine if they interacted with it in any way. You may wish to bcc' them to the existing helpdesk ticket and use the canned response Phishing Reply when contacting any staff who received the malicious email.
Reset password for any users who have potentially been compromised
- For any staff who clicked on or interacted with the malicious email, ask them to come into IT to reset their password within 24 hours. If they do not come to IT within 24 hours, please reset their password to a random string of at least 15 characters.
- After the user has reset their password, force a sign out of all existing sessions by navigating to the Microsoft Entra admin centre > users > all users. Locate the user whose password you wish to reset, click on their name and select the revoke sessions button above their profile picture to sign them out.
- The user will have to sign back in to all apps and services with their new password and will be prompted for an MFA response.