Protecting Your School From The Latest Phishing Scam - ANME

Protecting Your School From The Latest Phishing Scam

Posted on: 1st Feb 2019 by: Liam Robinson

Around January 29th 2019 a wide range of phishing emails were sent to schools across the country and continue to spread like wildfire. The scam works a little like this;

  • User receives phishing email asking to ‘Click here to display message”
  • User is redirected to a fake login page telling them their session has expired (or variation of)
  • User logs in with email and password
  • The ‘Hacker’ now has these credentials
  • The compromised email account is used to send emails to as many people on the contact list as possible, often replying to past emails with the same subject line, making the victim believe it is a legitimate email.
  • The process is repeated & due to the nature of schools, most users will collaborate with other schools, hence why 100’s of schools are receiving these messages.

Protecting User Accounts

You’d think a common phishing scam would be easily flagged up by your email provider, according to Microsoft  “We’ve built multiple spam filters into your Office 365 or Exchange Online Protection (EOP) service, so your email is protected from the moment you receive your first message.” – Apparently not.

Two/Multi-Factor Authentication (MFA)

One of the greatest things you could do to protect your email accounts is to enable Multi-Factor Authentication, okay it can be a pain in the backside having to open your phone app everytime you want to log in on a new device, but it will protect you from other people logging into your account.

To enable MFA head to your Office365 Admin > Users

Under ‘More’ you will find setup Azure MFA

Here you can select which users you would like to enable MFA for, if you want to enable it for all staff you can use the Update in Bulk tool


Blocking emails based on regular expressions

Another way to protect your users is to add a quarantine filter based on regular expressions in order to catch known spam.

In this current attack the emails have contained the school name, time and a date in long format like this:

Your domain would be substituted with the first part of your domain name, stripping the TLD for example would just be Yourschool.

Because the date and time will change each time, Edugeek user Katy has provided the following regex codes to block emails based on the regular expression.

(DomainNamesHere) \d{2} \d{2}-([a-zA-Z]{3,9})-\d{4}.
\d{2}:\d{2}:\d{2} \d{2}-([a-zA-Z]{3,9})-\d{4} \((DomainNamesHere)\)
(Yourdomain) \d{2}:\d{2}:\d{2} \d{2}-([a-zA-Z]{3,9})-\d{4}
\d{2}:\d{2}:\d{2} \d{2}-([a-zA-Z]{3,9})-\d{4}

Updated: 20 03 2019
Credit to ANME Member Tara McBride for the updates.

Note: We recommend you add each regex entry as a different rule, as you can see which rule is blocking emails - which makes troubleshooting false positives easier. However they will work all in the same rule. If you are grouping them in different rules, any bitcoin address should be caught with these two lines taken from the code above:



Now you may be wondering what this means (like i was), the \d{2} means any digit between 0-9 and that there must be 2 of them {2}– This equates to the time so \d{2}:\d{2}:\d{2} could be any time between 00:00:00 & 99:99:99. ([a-zA-Z]{3,9}) is the month section, so any letters between 3 and 9 characters long, the \d{4} is the year, so any digits 0-9 and there must be 4 of them.

I know that probably will not make much sense but have a play on and you should understand pretty quickly.

To add these head to EAC (Exchange Admin Centre) and click ‘Mailflow’

Click create new rule

On the pop-ip, give the rule a name and click more options

Apply rule if: The subject or body matches: these text patterns

(this is where you enter the regex patterns, one at a time)

Do the following, redirect the message to hosted quarantine

This should catch most of the current wave of spam emails. To check your quarantine go here >

WARNING: This could also catch legitimate emails, i would monitor the quarantine closely and allow any that may be false positives. 


Configuring Outbound Spam Policy

This for me is one of the more ‘Useless’ settings but worth configuring none the less. As stated earlier, Office365 has built in spam protection (allegedly), there is a ‘Default outbound spam policy’ but unfortunately its not as configurable as you’d expect.

Enter the Exchange admin center (EAC), navigate to Protection > Outbound spam, and then double-click the default policy.

Here you can enable the two options and have any emails marked as spam sent to your inbox

Send a copy of all suspicious outbound email messages to the following email address or addresses.

This will not block the messages but will give you an indication of which accounts are sending spam.

Removing spam that has already made it to users mailboxes

Unfortunately our school was hit, one of the compromised accounts send the email to ‘All staff’ as well as certain staff individually. To avoid further damage i deleted the offending emails from all users mailboxes in the hope that i could remove it before they had chance to click the link.

To do this in Exchange Online (o365) follow these steps..

  1. Head over to Exchange Admin Center > Permissions > Admin Roles.

You will need to add your admin account to the following four admin roles, you can do this by double clicking and choosing ‘members’

Compliance Management | Discovery Management | Organisation Management | Recipient Management

Once you are a member of these groups, head over to Security & Compliance admin centre > Search & Investigation > Content Search

Hit New Search

You can tweak the search criteria based on the email you are trying to remove, if you know who has sent it, and what date, enter their email as the sender and the date they sent it

Once you’ve added the criteria based on the email you’re trying to remove, click Specific Locations (modify) and select the one which contains Exchange/Onedrive/Sharepoint

Save and Run.

After the search has finished you should have a preview of the messages it’s found. If you’ve recently added your permissions it could take up-to 4 hours before you can use the preview feature.

If you are happy the emails you want to delete have been found then continue, if not tweak your search til you find them.

Over to Powershell..

For the next part you will need to use Powershell. Open and elevated powershell window and type the following

$UserCredential = Get-Credential

You will receive a prompt, enter your O365 admin credentials.

Next you should enter the following command

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

You now need to set the execution policy to bypass, you can do this with

Set-executionpolicy Bypass

Choose Yes

Run the next 2 commands

Import-PSSession $Session -AllowClobber -DisableNameChecking

$Host.UI.RawUI.WindowTitle = $UserCredential.UserName + ” (Office 365 Security & Compliance Center)”

Now you are ready to delete the contents of the search, to do this use the following command, replace ‘Your Search’ with the name of your content search

New-ComplianceSearchAction -SearchName “Your search” -Purge -PurgeType SoftDelete

Choose Yes.

The emails that were found in your content search will now be removed from all users mailboxes.

Liam Robinson
ANME Member



The information which is summarised herein does not constitute technical or other professional advice and is general in nature. It does not take into account your specific circumstances and should not be acted on without full understanding of your current situation by your Network Manager. In doing so you risk implementing changes that may not be suitable to your needs.

Whilst we have tried to ensure the accuracy and completeness of the contents of this website, ANME Limited cannot offer any undertaking or guarantee, either expressly or implicitly, including liability towards third parties, regarding how correct, complete or up to date the contents of this website are. We reserve the right to supplement this website at any time or to change or delete any information contained or views expressed on this website.

ANME Limited accepts no liability for any issues, loss or damage howsoever arising out of the use of this website or reliance on the content of the website.

Testimonials from Members & Partners

  • “Fantastic event, with interesting content and very well organised.”

    Alain Squiteri, Sales Director - InVentry

  • I thought the day was excellent. It was really good to have the companies there and invaluable for meeting and speaking with new contacts. I really hope this carries on as it was desperately needed in our field.

    Janet Cannell, Member

  • We’re really proud to be ANME’s platinum sponsor. It’s such a great platform for school network managers to get together and share ideas, plus it provides us the opportunity to speak directly to schools using our solutions and get their feedback and input into new features. Every event is always different, with fantastic speakers providing real insight and ideas on all things edtech.

    Al Kingsley, Group Managing Director, NetSupport Limited

  • ANME meetings provide valuable networking - being able to talk to other professionals doing the same role and understanding their approach and their context. This is a great way to challenge what you are doing in your own setting.

    Neil Limbrick, ANME Ambassador

  • A fantastic online resource of like-minded professionals that you can use to bounce ideas off, chat things through, get advice from. Invaluable.

    Ric Turner, Balshaws Church of England High School

  • The ANME is a priceless resource for anyone working in an IT support role in the education sector. The online forum is lively and informative and the regular meetings provide insight into new products and valuable networking opportunities with peers from other establishments. I've lost count of the number of valuable conversations and helpful tips that I've had since becoming a member. If you've not been to a meeting before then try to attend the next one in your area, you won't be disappointed.

    Dave Leonard, ANME Ambassador and ICT Manager at Matthew Moss High School

  • The ANME has been a great resource when you're a lone IT manager, now you have friends going through the same obstacles as you, with plenty of advice and guidance.

    Michael Frost, ANME Member & IT Network Manager at Parkwood Hall Co-operative Academy

  • Being part of the ANME is like being part of a large corporate IT department, there's always someone you can ask for advice

    Paul Gillon, ANME Member & Network Manager at West Hill School, Stalybridge

  • ANME is like having a team of IT experts at my fingertips. It helps me keep up to date with the latest trends in IT education.
    Rick and the ANME members have always helped when I've needed extra guidance to make great IT decisions

    Clifford Fernandes, ANME Member & IT Manager at Claremont High School

  • I attended my first ANME regional meeting recently which was great. It was Informative, relevant and useful! Unlike some meetings I attend where you get one or two useful nuggets of information, but other bits have been added to the agenda as fillers. Glad to be a member of this group of like-minded individuals.

    Adam Hall, ANME Member & IT Operations Manager at Four Oaks Learning Trust