Threat Detection and Response Updates
Last updated
Last updated
The Threat Detection & Response (TDR) page is a live incident dashboard within GCF’s Trust & Safety Center that logs confirmed security events—like phishing campaigns or spoofed sites—with timestamps, concise summaries, and clear, bullet-pointed mitigation steps. It keeps staff and stakeholders instantly informed of evolving threats and provides actionable guidance to contain incidents and prevent reoccurrence.
Incident Summary Between January 1–20, 2025, several employees received emails spoofing the Director‑General’s address, requesting urgent submission of personal data for an “internal audit.”
Timeline
Jan 21, 18:00 UTC – First report from staff.
Jan 22, 09:15 UTC – IT Security confirms sender domain is misspelled.
Jan 23, 10:00 UTC – Organization‑wide phishing alert issued.
Detection
User reports to support@globalcitizenshipfoundation.org
Email gateway flagged anomalies in DKIM and SPF records.
Immediate Response
Blacklisted spoofed domain and associated IPs.
Added content rules to quarantine messages with urgent‑data‑request keywords.
Containment & Remediation
Deployed user‑level multi‑factor authentication (MFA) reminder.
Blocked external forwarding of sensitive document attachments.
Communication
Sent all‑staff advisory outlining signs of executive‑impersonation scams.
Circular issued on safe email practices.
Long‑Term Measures
Bi‑annual phishing simulations targeting executive‑impersonation.
DMARC policy shifted from none
to quarantine
for inbound mail.
Issuance of VPN accounts to team members.
Current Status Resolved—no reported data breaches. Monitoring continues.
Lessons Learned
Executive‑impersonation remains high‑risk; regular reminders crucial.
Gradual DMARC hardenings reduce spoof surface.
We have been alerted to the spoofing of the University of Texas website on a subdomain of the Global Citizenship Foundation (community.globalcitizenshipfoundation.org), which in the past has accommodated our community site via Heartbeat.Chat platform.
In response, we have coordinated with the Heartbeat Community team to restrict access to the compromised sub-domain and have enhanced our IT security measures.
Incident Summary
On April 20, 2025, monitoring tools flagged unusual traffic patterns on our community subdomain (community.globalcitizenshipfoundation.org
). Further investigation revealed a cloned University of Texas login portal hosted on this subdomain.
Timeline
Apr 20, 10:15 UTC – Automated alert for high-volume traffic to the dormant subdomain.
Apr 20, 13:26 UTC – Security team analysts confirm spoofed site using Heartbeat.Chat infrastructure.
Apr 20, 14:32 UTC – Access to affected subdomain suspended.
Detection
Anomaly detection via web traffic insights
Immediate Response
Disabled subdomain DNS entry and revoked related SSL certificates.
Notified Heartbeat.Chat operations to quarantine the compromised container.
Communication
Internal alert broadcast to IT, Legal, and Communications teams.
Drafted public advisory for stakeholders.
Long‑Term Measures
Quarterly red‑team phishing and spoof drills.
Enhanced subdomain issuance policy.
Created the Threat Detection and Response Notification Center
Current Status Closed—no further spoof sites detected.
Lessons Learned
Importance of proactive domain/subdomain enumeration and audits.
Several staff members have reported receiving scam emails. These emails falsely claim to be from the Director-General and request that the recipient purchase gift cards.
Incident Summary In early December 2023, an email impersonating the Director-General (DG), asking staff to discreetly purchase ten Apple iTunes gift cards and send images of the scratched codes for reimbursement later. The messages originated from a spoofed “officemail2579@mail.ru” address.
Timeline
Nov 30, 14:15 UTC – First phishing email sent from officemail2579@mail.ru to a staff member, posing as the DG and requesting discreet handling.
Dec 8, 07:07 UTC – Employee finds the thread in spam and forwards to colleague for verification.
Dec 8, 07:56 UTC – Colleague confirms scam and reports to IT Security.
Detection
Proactive vigilance on part the staff requesting confirmation from the DG.
Request for gift cards to personal email, off-domain sender.
Immediate Response
Blocklisted officemail2579@mail.ru
.
Issued an immediate “Do Not Purchase/Do Not Respond” alert to all staff.
Adjusted spam-filter rules to quarantine similar messages.
Containment & Remediation
Reviewed mail logs to confirm no other staff followed through.
Performed a quick scan of inboxes for similar malicious messages.
Enforced banner warnings on external emails impersonating internal domains.
Communication
Sent an all-staff advisory detailing the phishing tactic and red flags.
Shared an information circular on recognizing thread-hijack phishing (Dec 9).
Long-Term Measures
Updated phishing simulation program to include thread- continuation and gift-card scenarios.
Updated our Purchasing and Procurement policy and procedures.
Current Status Resolved—no financial losses reported, and no further similar emails detected after filter updates.
Lessons Learned
Thread hijacking and delayed requests can bypass conventional urgency filters.
Clear purchasing policies and multistep verification stops unauthorized buy-in.
Do Not Respond: Staff should not reply to or interact with these emails.
Report: Forward any suspicious emails immediately to IT Security.
Awareness: Encourage staff to verify any unusual requests from senior management through official channels.
Ensure all personnel are aware of this phishing attempt to prevent any potential financial loss. Stay alert and report any suspicious email. PLEASE DO NOT OPEN ANY LINKS.