← Customer 14024290

#27985 Continued phishing

Resolved 2 Normal Created Jun 10, 2024, 5:25 PM Resolved Jun 14, 2024, 8:14 PM
Artichoke Support - Peet (internal) Jun 10, 2024, 5:25 PM 
[embedded image]

Keez:
Someone messaged me impersonating Grant. At first I thought it was Grant messaging me off his computer or something and that’s why it was showing up weird, but as soon as they started asking about gift cards and it wasn’t an iPhone I stopped responding.

Maybe: G Kier:
Hi Peet. Sorry to bug you by text but wanted to check in with you. A few coincidental phishing scams (one as Leidy left and now one with Keeza coming in) leave me feeling like someone is still seeing into our operations. Any chance of that?

Peet McKinney:
I'll take a deep dive. The texts are an odd addition ...

Keez:
Should I go ahead and block that number? Moving forward I will not respond at all. Thank you, Peet!
Artichoke Support - Peet (internal) Jun 10, 2024, 5:36 PM 
I do not have visibility into your Slack. I need to see the logs for your team. Who/what account is the thePrimary Owner of your Slack? The app has full rights into your OneDrive/SharePoint, but there's no way for me to tell who is using it where.

I'd whole-heartedly recommend using Teams instead of Slack for many security and feature related reasons.

Thanks.Peet
Artichoke Support - Peet (internal) Jun 11, 2024, 1:14 AM 
I've not heard back on this and am concerned enough that I will disable any slack integration with M365 until I can get a look at the available logs.

Thanks.Peet
customer-reply (internal) Jun 11, 2024, 2:17 AM 
Ok. I thought Keeza sent you the logs? I did try to call several times today. One of my concerns a that by using our email, if we are hacked, anyone can be following along….

Sent from my phone

On Jun 10, 2024, at 7:14 PM, Artichoke Support - Peet <[email protected]> wrote:


customer-reply (internal) Jun 11, 2024, 3:28 PM 
I only have access to my personal access logs, but I worked with Nicole to get what we believe is the data you need Peet. We searched for access logs for a while and it difficult to find any sort of data for the entire team. This data was exported directly from Nicole’s slack account as an owner.

From: Grant Kier <[email protected]>
Date: Monday, June 10, 2024 at 8:17PM
To: Artichoke Support - Peet <[email protected]>
Cc: Keeza Leavens <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Ok. I thought Keeza sent you the logs? I did try to call several times today. One of my concerns a that by using our email, if we are hacked, anyone can be following along….

Sent from my phone

On Jun 10, 2024, at 7:14PM, Artichoke Support - Peet <[email protected]> wrote:


Artichoke Support - Peet (internal) Jun 11, 2024, 3:34 PM 
I'm sorry for not being clear, what I really need for slack is the owner account. Great to know it's Nicole and not lost along the line!

Nicole,

Could you please add the owner role to [email protected].

Thanks.Peet
customer-reply (internal) Jun 11, 2024, 3:49 PM 
Nicole, Grant, and Chelsea are all owners. We are in a staff meeting currently and Nicole will get that done as soon as she can today! Thanks.

From: Artichoke Support - Peet <[email protected]>
Date: Tuesday, June 11, 2024 at 9:34AM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
customer-reply (internal) Jun 11, 2024, 3:54 PM 
Hi Peet,

Just made the change. Glad to her mepadmin is you and not a hacker, Grant had deactivated the account yesterday.

N

Nicole Rush

Deputy Director

Missoula Economic Partnership

500 N Higgins Ave, Suite 300

Missoula, MT 59802

[email protected]

P: 406.594.7874

[MissoulaPartnership.com](http://t.sidekickopen06.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XX45wfmJHW2zX3S-7dSBlKW64QWwH56dHHyf73Ls5v02?t=&si=4953426783895552&pi=cdf00da3-80e5-4c2a-9458-b3a727ce1077)

[embedded image](https://outlook.office.com/bookwithme/user/[email protected]?anonymous&ep=bwmEmailSignature)		[Book time to meet with me](https://outlook.office.com/bookwithme/user/[email protected]?anonymous&ep=bwmEmailSignature)

---------------------------------------------------------------

From: Keeza Leavens <[email protected]>
Sent: Tuesday, June 11, 2024 9:49 AM
To: Artichoke Support - Peet <[email protected]>
Cc: Grant Kier <[email protected]>; Nicole Rush <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Nicole, Grant, and Chelsea are all owners. We are in a staff meeting currently and Nicole will get that done as soon as she can today! Thanks.

From:Artichoke Support - Peet <[email protected]>
Date: Tuesday, June 11, 2024 at 9:34AM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
customer-reply (internal) Jun 12, 2024, 3:49 PM 
Thanks for the recommendation Peet. I’m curious, about the time your email came through, we had a new user pop up in Slack “MEPAdmin”. Did you create that user?

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Artichoke Support - Peet <[email protected]>
Date: Monday, June 10, 2024 at 11:36AM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>
Subject: Continued phishing (message id: 82585788)
Artichoke Support - Peet (internal) Jun 12, 2024, 6:54 PM 
Grant,
100% me. Needed the account to see if I could find any sort of access logs for the Sharepoint integration, but alas no. The free version of slack has virtually no admin accessible logging.

I would 100% recommend migrating to Teams for chat and group collaboration. Both because it's more unified with M365, SharePoint and existing M365 identities, but also because it's a paid part of the M365 stack, so there are no limitations on number of messages/posts that are available or other features of the product like logging. The most important reasons are logging and security. When third party applications access M365 data, the picture of what is accessed, when, where and by whom gets much more complicated to work out. And gaps can from around the third party tools own logging.

All that said, if we can map the existing Slack channels that you'd like moved over to Microsoft Teams ... Teams, I'd be happy to rebuild the structure for you within Teams so we could hopefully have a drop-in replacement. I'm researching what kind of lift there is to migrate posts from Slack to Teams and can let you know what I find.

Cheers.Peet
customer-reply (internal) Jun 12, 2024, 7:51 PM 
Great! Love it. Honestly, I’m not too worried about the mapping and saving old information so if there’s not a cheap and easy way to do it then don’t invest too much time. I’ll ask Keeze (copied) to sit down with our team and figure out what really matters on Slack and what we can ditch in transition.

Thanks,

Grant

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Artichoke Support - Peet <[email protected]>
Date: Wednesday, June 12, 2024 at 12:54PM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
customer-reply (internal) Jun 12, 2024, 8:07 PM 
Peet, can I get that answer to you after our staff meeting next Tuesday? If not, I will work on getting it before the end of the week.

From: Grant Kier <[email protected]>
Date: Wednesday, June 12, 2024 at 1:51PM
To: Artichoke Support - Peet <[email protected]>, Keeza Leavens <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Great! Love it. Honestly, I’m not too worried about the mapping and saving old information so if there’s not a cheap and easy way to do it then don’t invest too much time. I’ll ask Keeze (copied) to sit down with our team and figure out what really matters on Slack and what we can ditch in transition.

Thanks,

Grant

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Artichoke Support - Peet <[email protected]>
Date: Wednesday, June 12, 2024 at 12:54PM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
Artichoke Support - Peet (internal) Jun 12, 2024, 9:30 PM 
Keeza,

NP, this can happen on your schedule/timeline.

Cheers.Peet
customer-reply (internal) Jun 13, 2024, 7:00 PM 
Slack channels to get rid of:

- Bedrock
- Bre
- Ceds
- Covid-business-grant
- Covid-taskforce
- Neoncrm
- Staff-retreat
- Teamgantt

We would like to keep:

- Social=media
- Random
- Not working (can we rename to repairs or something similar? I think this is what this channel is used for?)
- Mep-events
- Genera;
- Fundraising campaign
- Annual meeting

That should be good. We will continue to utilize slack until the teams is set up. Thanks!

From: Keeza Leavens <[email protected]>
Date: Wednesday, June 12, 2024 at 2:06PM
To: Grant Kier <[email protected]>, Artichoke Support - Peet <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Peet, can I get that answer to you after our staff meeting next Tuesday? If not, I will work on getting it before the end of the week.

From: Grant Kier <[email protected]>
Date: Wednesday, June 12, 2024 at 1:51PM
To: Artichoke Support - Peet <[email protected]>, Keeza Leavens <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Great! Love it. Honestly, I’m not too worried about the mapping and saving old information so if there’s not a cheap and easy way to do it then don’t invest too much time. I’ll ask Keeze (copied) to sit down with our team and figure out what really matters on Slack and what we can ditch in transition.

Thanks,

Grant

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Artichoke Support - Peet <[email protected]>
Date: Wednesday, June 12, 2024 at 12:54PM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
customer-reply (internal) Jun 13, 2024, 7:38 PM 
Thanks Keeza

Peet – FYI I think the third to last is “general” not “genera”.

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Keeza Leavens <[email protected]>
Date: Thursday, June 13, 2024 at 1:00PM
To: Grant Kier <[email protected]>, Artichoke Support - Peet <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Slack channels to get rid of:

- Bedrock
- Bre
- Ceds
- Covid-business-grant
- Covid-taskforce
- Neoncrm
- Staff-retreat
- Teamgantt

We would like to keep:

- Social=media
- Random
- Not working (can we rename to repairs or something similar? I think this is what this channel is used for?)
- Mep-events
- Genera;
- Fundraising campaign
- Annual meeting

That should be good. We will continue to utilize slack until the teams is set up. Thanks!

From: Keeza Leavens <[email protected]>
Date: Wednesday, June 12, 2024 at 2:06PM
To: Grant Kier <[email protected]>, Artichoke Support - Peet <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Peet, can I get that answer to you after our staff meeting next Tuesday? If not, I will work on getting it before the end of the week.

From: Grant Kier <[email protected]>
Date: Wednesday, June 12, 2024 at 1:51PM
To: Artichoke Support - Peet <[email protected]>, Keeza Leavens <[email protected]>
Subject: Re: Continued phishing (message id: 82585788)

Great! Love it. Honestly, I’m not too worried about the mapping and saving old information so if there’s not a cheap and easy way to do it then don’t invest too much time. I’ll ask Keeze (copied) to sit down with our team and figure out what really matters on Slack and what we can ditch in transition.

Thanks,

Grant

Grant Kier

President & CEO

Missoula Economic Partnership

406.541.6461

From: Artichoke Support - Peet <[email protected]>
Date: Wednesday, June 12, 2024 at 12:54PM
To: Keeza Leavens <[email protected]>
Cc: Grant Kier <[email protected]>, Nicole Rush <[email protected]>
Subject: Continued phishing (message id: 82585788)
System (internal) Jun 14, 2024, 7:51 PM 
Ticket split to [28072](/tickets/82758573)