Microsoft's Security Intelligence team sounds the alarm on a sneaky phishing email campaign with fake sender addresses. The phishing email also cleverly employs various detection evasion techniques to trick most automated filters and users in its attempt to garner Microsoft Office 365 credentials.

The alert was sent after observing an active campaign that was zoning in on Office 365 organizations with convincing emails.

In a statement by Microsoft, "An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters."

Microsoft notes that this campaign is sneakier than usual due to the convincing Microsoft logos with the link posing as a 'file share' request to access bogus reports. However, the main phishing URL relies on a Google storage resource that takes the victim to the Google App Engine domain Appspot. This results in hiding a second URL that directs the victim to a compromised SharePoint site, and thus allowing the attack to bypass sandboxes.

Researchers at Microsoft have published details

Accounting to the FBI

According to the FBI's latest figures, phishing attacks have cost Americans more than $4.2 billion last year. Fraudsters employ business email compromise (BEC) attacks, which rely on compromised email accounts or email addresses that are similar to legitimate ones and are difficult to filter as they blend within normal, expected traffic. BEC attacks are far more costly than high-profile ransomware attacks.

What is CMMC?

In the face of unacceptable risks to the Controlled Unclassified Information that resides on its contractors' systems, the Pentagon introduced the CMMC standards to ensure that the companies it does business with, adhere to an appropriate level of cybersecurity protections.

The United States Department of Defense is implementing the Cybersecurity Maturity Model Certification (CMMC) to normalize and standardize cybersecurity preparedness across the federal government’s defense industrial base (DIB). This piece will cover the concept of a maturity model in the context of cybersecurity, key depictions of the DIB, the anatomy of CMMC levels, and how CyberSecOp can fast-track CMMC certification with our CMMC Compliance services.

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

A CUI registry provides information on the specific categories and subcategories of information that the Executive branch protects.

What are CMMC protected data

• Critical Infrastructure

• Defense

• Export Control

• Financial

• Immigration

• Intelligence

• International Agreements

• Law Enforcement

• Legal

Why was CMMC created?

Department Of Defence Create Cybersecurity Maturity Model Certification (CMMC Guidelines

In the face of unacceptable risks to the Controlled Unclassified Information that resides on its contractors' systems, the Pentagon introduced the CMMC standards to ensure that the companies it does business with, adhere to an appropriate level of cybersecurity protections

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

How can my organization become CMMC certified?

Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.

How do I request certification assessment?

We call us for a fee consultation, we provide 3rd party CMMC assessment and certification.

I am a subcontractor on a DoD contract. Do I need to be certified?

• Yes, all companies doing business with the Department of Defense will need to obtain CMMC.

• How often does my Organization need to be reassessed? The duration of a certification is still under consideration.

What are the CMMC Levels?

CMMC Level 1

• Process: At this level, practices are performed in an ad-hoc manner so there is no process requirement.

• Practice: It addresses protection of FCI and 17 practices are required for the basic safeguarding requirements specified in 48 CFR 52.204.21.

CMMC Level 2

• Process: Policy and documentation of practice are required to develop mature capabilities and achieve process Level 2.

• Practice: Progression from Level 2 to Level 3. The majority of practices (65 of 72) comes from NIST SP 800-171 and new 7 practices from other standards are added to Level 2, such as audit log review, event detection/reporting, analyzing triaging events, incident response, Incident RCA (root cause analysis), regular data backup and testing, and encrypted session for device mgmt..

CMMC Level 3

• Process: Not just policy and documentation of practices, a plan is required to demonstrate management of practice implementation activities. The plan needs to address missions, goals, project plans, resourcing, required training and involvement of stakeholders.

• Practice: All 110 control requirements of NIST SP 800-171 are required for this level. In addition, 13 new practices from other standards are added to Level 3, such as defining procedures of CUI data handling, collecting audit info into central repositories, regular data backups, periodical risk assessment, risk mitigation plan, separate management of non-vendor-supported products, security assessment of enterprise software, cyber threat intel response plan, DNS filtering, restriction of CUI publication, spam protection mechanisms, email forgery protections, and sandboxing.

CMMC Level 4

• Process: Practices are reviewed and measured for effectiveness. In addition, correct actions when necessary and communication to higher level mgmt. on a recurring basis are required.

• Practice: In order to protect CUI from APTs, 26 practices enhance the detection and response capabilities to address and adapt to TTPs used by APTs.

CMMC Level 5

• Process: Process standardization and optimization.

• Practice: The additional 15 practices increase the depth and sophistication of cybersecurity capabilities.