Phishing/Spam incident – 3rd Party compromise – Switchboard/Helpdesk process

Phishing/Spam incident – 3^rd Party compromise – Switchboard/Helpdesk process

Should a client/supplier or any 3^rd party, known as ‘3^rd party’ in this document, contact the Switchboard or IT Helpdesk with either a report of a potential Kennedys Phishing/Spam incident or that they themselves have potentially been compromised, below are the steps to follow:

Steps

Action

Step 1 – Switchboard/IT Helpdesk contacted

3^rd party contacts the Switchboard/IT Helpdesk via phone / email of potential Kennedys Phishing/Spam incident or they themselves have potentially been compromised

If Switchboard/IT Helpdesk are contacted by a 3^rd party, obtain the below information:

The callers name
The callers company
The callers contact details to include direct line number/mobile number/contact email address
Reason for calling, e.g
Phishing email from Kennedys OR
3^rd party has potentially been compromised
Switchboard to email the above information to the IT.Helpdesk@kennedyslaw.com , copying in Baiju Vasudevan, Stuart Upton
Switchboard to transfer the call to IT Helpdesk on +44 207 667 9666
IT Helpdesk to log a call on IT Helpdesk Call Management platform in Baiju Vasudevan’s name and follow the points below from STEP 2

Step 2 – If Phishing email from Kennedys (if 3^rd party potential compromise, go to Step 5)

Evidence to obtain from the 3^rd party

If the email contained ‘links’, pass to Infrastructure for now whilst they complete the KB’s:
Extract original Phishing URL from email (KB0016484)
Block extracted URL in Mimecast. (KB0016484)
Full email address from
Full email address to
Subject field of email
Confirm if any links or attachments included
Ask for a screenshot, if possible, of email user has received – PLEASE DO NOT ASK FOR THE EMAIL TO BE FORWARDED ON TO KENNEDYS IT
Block that email address (all Helpdesk have permissions to do this)
Check Mimecast as to who received that phishing email, take a screenshot

Step 3 – If Phishing email from Kennedys

Helpdesk (Systems Analysts) escalation process

Escalate to Infrastructure/24x7 DL -it24x7team@kennedys-law.com, copy in Baiju Vasudevan/Stuart Upton (Baiju to create a DL)

Baiju to confirm the email address to be included for Security and to confirm the information he requires to further investigate

Copy and paste the questions and answers from Steps 1 & 2 in an email and send to 24x7 DL/Baiju/Stuart so everyone is aware – include the call reference number (using the email template in Step 4)
Fully update the IT Helpdesk Call Management platform call and escalate to the Infrastructure team
This is to be completed in all instances of a phishing – in and out of hours
If Out of hours, to phone on-call to notify them to the email and content
On-call to review the phishing email and actions taken and confirm with 24x7/Baiju/Stuart if ok or if any further action is to be taken.
If further action to be taken, Infrastructure to manage and update 24x7/Baiju/Stuart through to resolution
The next working day, Infrastructure to summarise for Baiju/Security. Any remedial actions to be taken by Security.

Step 4 - TEMPLATE COMMS – If Phishing email sent from Kennedys to 3^rd party – template for 24x7. Baiju/Stuart

Email content to be sent to Kennedys 24x7DL, Baiju, Stuart

Subject field to say; Phishing email logged by 3^rd party, enter the subject line of the email sent and what email address sent from – for Security/IT awareness

Hi all

Please be advised that we have received a call from a 3^rd party – enter name of 3^rd party – advising of a phishing email they have received from Kennedys.

The details of this phishing/spam email are:

Please advise if you require any further action to be taken by the IT Helpdesk

Kind regards

IT Helpdesk

Step 5 - If 3^rd party has potentially been compromised

Evidence to obtain from the 3^rd party

What contacts at Kennedys has the email been sent to
Full email address from
Subject field of email
Confirm if any links or attachments included
As for a screenshot, if possible, of the email user has received – PLEASE DO NOT ASK FOR THE EMAIL TO BE FORWARDED ON TO KENNEDYS IT

Step 6 - If 3^rd party has potentially been compromised

Helpdesk (Systems Analysts) to complete these actions

If the email contained ‘links’, pass to Infrastructure for now whilst they complete the KB’s:
If the email contained ‘links’, pass to Infrastructure for now whilst they complete the KB’s:
Extract original Phishing URL from email (KB0016484)
Block extracted URL in Mimecast. (KB0016484)
Extract original Phishing URL from email (KB – to be confirmed)
Block extracted URL in Mimecast. (KB – to be confirmed)
Full email address from
Full email address to
Subject field of email
Confirm if any links or attachments included
Ask for a screenshot, if possible, of email user has received – PLEASE DO NOT ASK FOR THE EMAIL TO BE FORWARDED ON TO KENNEDYS IT
Block that email address (all Helpdesk have permissions to do this)
Check Mimecast as to who received that phishing email, take a screenshot
What contacts at Kennedys has the email been sent to
Full email address from
Subject field of email
Confirm if any links or attachments included
As for a screenshot, if possible, of the email user has received – PLEASE DO NOT ASK FOR THE EMAIL TO BE FORWARDED ON TO KENNEDYS IT
Block that email address (all Helpdesk have permissions to do this)
Check Mimecast/run a report as to who received that phishing email, take a screenshot or if multiple, extract the report
Following the email template in step 8, please send this to the Kennedys users identified in the Mimecast search. Follow the template in Step 9

Step 7 – If 3^rd party has potentially been compromised

Helpdesk (Systems Analysts) escalation process

Escalate to Infrastructure/24x7 DL -it24x7team@kennedys-law.com, copy in Baiju Vasudevan/Stuart Upton (Baiju to create a DL)

Baiju to confirm the email address to be included for Security and to confirm the information he requires to further investigate

Copy and paste the questions and answers from Steps 1 & 2 in an email and send to 24x7 DL/Baiju/Stuart so everyone is aware – include the call reference number (using the email template in Step 4)
Fully update the IT Helpdesk Call Management platform call and escalate to the Infrastructure team
This is to be completed in all instances of a phishing – in and out of hours
If Out of hours, to phone on-call to notify them to the email and content
On-call to review the phishing email and actions taken and confirm with 24x7/Baiju/Elmi if ok or if any further action is to be taken.
If further action to be taken, Infrastructure to manage and update 24x7/Baiju/Stuart through to resolution
The next working day, Infrastructure to summarise for Baiju/Security. Any remedial actions to be taken by Security.
Copy and paste the above completed steps 1, 5, 6, both questions and answers in an email and send to 24x7 DL/Baiju/Stuart so everyone is aware – include the call reference number (Follow the email template in Step 8)
Fully update the IT Helpdesk Call Management platform call and escalate to the Infrastructure team
This is to be completed in all instances should a 3^rd party have reported a potential compromise – in and out of hours
If Out of hours, to phone on-call to notify them to the email and content
On-call to review the phishing email and actions taken and confirm with 24x7/Baiju/Elmi if ok or if any further action is to be taken.
If further action to be taken, Baiju/Stuart to provide instructions to Infrastructure copying in 24x7 DL

Step 8 - Email template for Baiju/Stuart/24x7 if 3^rd party potential compromise

Email content to be sent to Baiju, Stuart, Kennedys 24x7DL

Subject field to say; 3^rd party potential compromise (Phishing/Spam), enter the subject line of the email sent– for Security/IT awareness

Hi Baiju/Elmi

Please be advised that we have been made aware by a 3^rd party of a potential compromise they’ve reported

The details of this phishing/spam email are:

Helpdesk to enter the email address sent from
Helpdesk to enter the subject field of the email
Helpdesk to include a screenshot of the email if they have managed to obtain one
Helpdesk to include a link if the email contained a link
Helpdesk to include any attachments If the email had any attachments
Helpdesk to include the questions and answers from ‘steps 1 & 2 above
Helpdesk to enter the questions and answers from points 1, 6, 7 into this email the email address sent from
Helpdesk to confirm an email has been sent to those users and attach a copy
Helpdesk to include a screenshot of the ‘phishing email’

Please advise if you require any further action to be taken by the IT Helpdesk

Kind regards

IT Helpdesk

Step 9 – Email template to send to Kennedys internal users if a 3^rd party has been compromised

Dear (User)

We have been contacted by IT HELPDESK TO ENTER IN THE NAME OF THE 3^RD PARTY to inform us that their email systems have been compromised and they are investigating the issue.

To minimise risk to the firm we will be placing a temporary block on the email address until they confirm the issue has been rectified.

If this poses an issue or you have further questions, please contact the IT Helpdesk or Risk and Compliance.

Regards

IT Helpdesk

Process review

This process is reviewed quarterly by the Head of IT Operations, IT Operations Manager, Security Management from Risk and Compliance

Location of document \\UKDCMSFSP02V\public$\IT\IT Teams\IT Helpdesk\Knowledge Bank\Security