The Battleground:

An association with a worldwide humanitarian organization whose network spans the globe.

The Presumption:  

Restricting the connectivity to a mailing service to prevent unwanted actors.

The Discovery:  

The SIEM had generated alarms about a mass data exfiltration in progress. The actor that had gained access to the mailing server was scraping pictures attached to email addresses. This was the main bit of information that was being targeted to possibly be set up as a social hacking scam to impersonate employees of the organization to gain information or money from people familiar with the organization. 

Our Solution:  

The NSOC notified the customer to terminate the connection before the actor could take more information and made recommendations to the customer regarding how to prevent the situation from happening again. 

Lessons Learned:  

Ensure that all possible connections to a mail server are secured, employees are using hard to guess passwords, and have proper authentication to prevent someone from gaining access.