Three days of password resets after a single phishing click

My coworker fell for a fake HR email last Tuesday and I spent the whole week resetting 200 user accounts. The kicker was the attacker got in through a shared mailbox we forgot to lock down. Has anyone else dealt with a cleanup that spiraled way bigger than the initial mistake?

3 comments

3 Comments

wren6521mo agoMost Upvoted

Oh man, I read shared mailboxes are a huge blind spot for most companies!

jake_walker1mo ago

The shared mailbox that got us had MFA bypassed because someone set it up as a generic login back in 2017 and nobody ever checked it. After that week I put a rule in place that any shared mailbox older than six months gets audited quarterly or gets deleted. Also started using distribution groups instead of shared mailboxes for most things, cuts down the attack surface a lot.

nathan_webb1mo ago

The 200 account resets hurts but that shared mailbox thing is what keeps happening everywhere. I've seen three companies this year alone get burned because someone set up a shared mailbox five years ago and no one ever put MFA on it. It's always the forgotten accounts that get you, not the ones you monitor daily. Locking those down should be part of onboarding, but nobody thinks about it until after the breach.