Phishing campaigns accurately notifying users their password has expired.

Iron Contributor

We have a 180 day password reset for all our users. This is the first we've done this as a response to our accounts being hacked last year. We've also enforced MFA. 

 

I'm seeing some emails in quarantine (from noreply at birkenstock dot com) which are accurately, and quite convincingly, informing users that their password is expiring and asks if they want to keep or change their password.  

 

How would it be possible for anyone to know that these passwords are in fact expiring and is there anything we can do to protect our users? 

1 Reply
I can think of four possibilities:
1) The hacker from the prior hacking event downloaded the last password change date for all accounts, and they are using that data to create convincing emails
2) The hacker is still inside your network
3) The hacker is guessing at the expiration date and getting very lucky
4) These are legitimate password expiration emails
My recommendation is to hire a forensic team to investigate further.