# Threat Detection and Response Updates

{% hint style="info" %}

### About Threat Detection and Response Notification Center

The **Threat Detection & Response (TDR)** page is a live incident dashboard within GCF’s Trust & Safety Center that logs confirmed security events—like phishing campaigns or spoofed sites—with timestamps, concise summaries, and clear, bullet-pointed mitigation steps. It keeps staff and stakeholders instantly informed of evolving threats and provides actionable guidance to contain incidents and prevent reoccurrence.
{% endhint %}

## 2025

<details>

<summary>January 2025</summary>

### Incident Report: Phishing Emails Impersonating Director-General Requesting Personal Information from Staff

**Incident Summary**\
Between January 1–20, 2025, several employees received emails spoofing the Director‑General’s address, requesting urgent submission of personal data for an “internal audit.”

**Timeline**

* **Jan 21, 18:00 UTC** – First report from staff.
* **Jan 22, 09:15 UTC** – IT Security confirms sender domain is misspelled.
* **Jan 23, 10:00 UTC** – Organization‑wide phishing alert issued.

**Detection**

* User reports to <support@globalcitizenshipfoundation.org>
* Email gateway flagged anomalies in DKIM and SPF records.

**Immediate Response**

1. Blacklisted spoofed domain and associated IPs.
2. Added content rules to quarantine messages with urgent‑data‑request keywords.

**Containment & Remediation**

* Deployed user‑level multi‑factor authentication (MFA) reminder.
* Blocked external forwarding of sensitive document attachments.

**Communication**

* Sent all‑staff advisory outlining signs of executive‑impersonation scams.
* Circular issued on safe email practices.

**Long‑Term Measures**

* Bi‑annual phishing simulations targeting executive‑impersonation.
* DMARC policy shifted from `none` to `quarantine` for inbound mail.
* Issuance of VPN accounts to team members.

**Current Status**\
Resolved—no reported data breaches. Monitoring continues.

**Lessons Learned**

* Executive‑impersonation remains high‑risk; regular reminders crucial.
* Gradual DMARC hardenings reduce spoof surface.

</details>

<details>

<summary>March 2025</summary>

### **Incident Report: Spoofed University of Texas Site**

We have been alerted to the spoofing of the University of Texas website on a subdomain of the Global Citizenship Foundation (community.globalcitizenshipfoundation.org), which in the past has accommodated our community site via Heartbeat.Chat platform.&#x20;

In response, we have coordinated with the Heartbeat Community team to restrict access to the compromised sub-domain and have enhanced our IT security measures.

<figure><img src="/files/wHkbsjBv5WNR03f1nQnH" alt=""><figcaption></figcaption></figure>

### Spoofed University of Texas Subdomain

**Incident Summary**\
On April 20, 2025, monitoring tools flagged unusual traffic patterns on our community subdomain (`community.globalcitizenshipfoundation.org`). Further investigation revealed a cloned University of Texas login portal hosted on this subdomain.

**Timeline**

* **Apr 20, 10:15 UTC** – Automated alert for high-volume traffic to the dormant subdomain.
* **Apr 20, 13:26 UTC** – Security team analysts confirm spoofed site using Heartbeat.Chat infrastructure.
* **Apr 20, 14:32 UTC** – Access to affected subdomain suspended.

**Detection**

* Anomaly detection via web traffic insights

**Immediate Response**

1. Disabled subdomain DNS entry and revoked related SSL certificates.
2. Notified Heartbeat.Chat operations to quarantine the compromised container.

**Communication**

* Internal alert broadcast to IT, Legal, and Communications teams.
* Drafted public advisory for stakeholders.

**Long‑Term Measures**

* Quarterly red‑team phishing and spoof drills.
* Enhanced subdomain issuance policy.
* Created the Threat Detection and Response Notification Center

**Current Status**\
Closed—no further spoof sites detected.

**Lessons Learned**

* Importance of proactive domain/subdomain enumeration and audits.

</details>

## Past

<details>

<summary>December 2023</summary>

### Incident Report: Phishing Emails Impersonating Director-General Requesting Gift Card Purchases

Several staff members have reported receiving scam emails. These emails falsely claim to be from the Director-General and request that the recipient purchase gift cards.

<figure><img src="/files/B7o1d3FAJ6butpy1gSQ5" alt=""><figcaption></figcaption></figure>

**Incident Summary**\
In early December 2023, an email impersonating the Director-General (DG), asking staff to discreetly purchase ten Apple iTunes gift cards and send images of the scratched codes for reimbursement later. The messages originated from a spoofed “<officemail2579@mail.ru>” address.

**Timeline**

* **Nov 30, 14:15 UTC** – First phishing email sent from <officemail2579@mail.ru> to a staff member, posing as the DG and requesting discreet handling.
* **Dec 8, 07:07 UTC** – Employee finds the thread in spam and forwards to colleague for verification.
* **Dec 8, 07:56 UTC** – Colleague confirms scam and reports to IT Security.

**Detection**

* Proactive vigilance on part the staff requesting confirmation from the DG.
* Request for gift cards to personal email, off-domain sender.

**Immediate Response**

1. Blocklisted `officemail2579@mail.ru`.
2. Issued an immediate “Do Not Purchase/Do Not Respond” alert to all staff.
3. Adjusted spam-filter rules to quarantine similar messages.

**Containment & Remediation**

* Reviewed mail logs to confirm no other staff followed through.
* Performed a quick scan of inboxes for similar malicious messages.
* Enforced banner warnings on external emails impersonating internal domains.

**Communication**

* Sent an all-staff advisory detailing the phishing tactic and red flags.
* Shared an information circular on recognizing thread-hijack phishing (Dec 9).

**Long-Term Measures**

* Updated phishing simulation program to include thread- continuation and gift-card scenarios.
* Updated our Purchasing and Procurement policy and procedures.

**Current Status**\
Resolved—no financial losses reported, and no further similar emails detected after filter updates.

**Lessons Learned**

* Thread hijacking and delayed requests can bypass conventional urgency filters.
* Clear purchasing policies and multistep verification stops unauthorized buy-in.

#### Recommended Actions

1. **Do Not Respond**: Staff should not reply to or interact with these emails.
2. **Report**: Forward any suspicious emails immediately to IT Security.
3. **Awareness**: Encourage staff to verify any unusual requests from senior management through official channels.

Ensure all personnel are aware of this phishing attempt to prevent any potential financial loss. Stay alert and report any suspicious email. PLEASE DO NOT OPEN ANY LINKS.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://safety.globalcitizenshipfoundation.org/threat-detection-and-response-updates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.