The DuPont Cyber Incident Response Team (CIRT) was clocked out for the day when a Red Canary alert came in at 23:02 UTC. A corporate user at the company had set up a rule to automatically forward their emails to an external mailbox.
The DuPont CIRT was quickly notified of the threat via email and text message, as defined in their Red Canary playbooks. As standard practice, one of their cyber threat analysts then reached out to the user, inquiring about the suspicious activity on their account and prompting them to delete the rule. The user then appeared to create another rule—this one to delete all emails coming from the cyber threat analyst’s account. Red Canary detected this new rule as well.
Recognizing that an unauthorized user had bypassed conditional access policies and gained access to a legitimate DuPont user’s account, the CIRT began the process of turning on privileged identity rules.
Within minutes of gaining access to the authorized user’s account, the adversary sent dozens of phishing emails to DuPont employees. They also created a rule to send any incoming emails containing the same subject line of the phishing emails straight to the authorized user’s Deleted Items folder. Yet again, Red Canary flagged this email rule as suspicious.
“The adversary was trying to be quiet and sneaky so as not to trigger any alarms, but Red Canary caught them.”
DUPONT CIRT TEAM MEMBER
The incident was marked remediated just 26 minutes later, at 23:28 UTC. Ultimately, the adversary’s attempt to compromise additional accounts was unsuccessful. The DuPont CIRT rapidly blocked the adversary and scrubbed all phishing messages, stopping the attack in its tracks. As a critical member of the CIRT concluded, “We were able to avoid essentially what could have been a material incident thanks to Red Canary.”