This Midnight Blizzard brings an avalanche of trouble 

The wind howled; the snow swirled. It had been like this all day. (Why had Karen left Phoenix again? … Never mind.) She knew she should have been home hours ago. Now it was well after dark, approaching midnight, and the streets hadn’t been plowed. Driving home would be dangerous. She sighed. More from habit than necessity, she opened the door to the car, sat, reached for her phone, and checked her email. 

“What? Again?”  

Karen was sick of receiving these cybersecurity training reminders from IT. They were obviously unaware that she had an important and fast-approaching deadline. If she missed it, she would lose her biggest account and Christmas bonus. Her children were counting on this bonus. They had planned a cruise during spring break. She didn’t have time to waste. 

On closer inspection, though, the email had nothing to do with training this time. Channeling all the security knowledge she had previously acquired through IT, Karen checked the sender address. 

“It’s good. It actually is from IT. It’s just for verification of my username and password. This one should be quick,” she thought. 

Oh no. Karen’s about to be the victim of a classic phishing-email-sender-verification oversight. And I’ll bet you’re thinking, “Tom, she checked the sender. She verified it really was from IT.” Yep. Most of our readers will notice from the start that Karen was astute. But it’s midnight. She’s tired and cupcake-drunk (ask me later), and she’s pushing up against a terrifying deadline. So, she did the only thing her amygdala would allow her to do: find the shortest path to safety. 

In this case, “safety” meant getting the annoying email out of the way so she could finish her report before the deadline. What she missed was context. IT never asks for a user to verify credentials in response to an email. Actually, she was instructed during on-boarding never to respond to an email requesting credential verification. The sender address was spoofed—a.k.a., faked. Yes, that’s a thing. 

The attack we’re scrutinizing this week is currently in use by a Russian attacker that Microsoft calls “Midnight Blizzard” (for real). The attack goes like this: thousands of emails are sent to users at various target companies. Attached to these emails is a file with a “.rdp” at the end of the name. This file will connect your computer with a server on the internet controlled by Midnight Blizzard. 

Always remember, whether it’s the IT department asking for password verification, the IRS notifying you of an audit, or a Nigerian prince asking for a loan, the rule is the same: never respond to any communication asking you to verify anything. Never trust any information you receive in an email, phone call, or text. When in doubt, hang up the call, close the email or text, and make contact using a phone number you know is good. 

Even if Karen had chosen to remain in Phoenix, it would have served her to be wary of a blizzard. And it will serve you, too, whether in the blistering heat storms of Arizona or far beyond.