Rough Week for a CEO of a Logistics company with 1000 employees - Cybersecurity's Role

The information below is exactly how it was sent with the sensitive and identity redacted.  This blog post is to share what can happen to any company with a disgruntled employee.

This week a person used Proton.me & Protonmail.com (after the first domain was blocked) email to send to all the company-wide distributions that are public 

First email:

From: RestoreXXXXXX <[Redacted]@proton.me>
Sent: Wednesday, November 20, 2024 1:50 PM
To: dispatch@[Redacted].com; AP <ap@[Redacted].com>; ar@[Redacted].com; hr@[Redacted].com; XXXdispatch@[Redacted].com; XXXperdiem@[Redacted].com; safety@[Redacted].com
Subject: Restoring [Company Name] to Its Former Glory

Dear Team,

I’m reaching out because it’s time we address the pressing issues that have been weighing on all of us. The current state of [REDACTED] is not what it once was, and we all know where the responsibility lies. [Leadership Name]'s actions have taken a toll on this company—our insurance is being cut, wages are being garnished, and morale is at an all-time low.

We deserve better. [Company Name] deserves better. It’s clear that only by restoring [Previous Leader] to full power can we regain what we’ve lost and set this company back on the path to success. [Previous Leader]'s vision and leadership built the strong foundation of [Company Name], and we need them at the helm to ensure our future is bright once again.

It’s time for us to stand united and make [REDACTED] great again.

Second email:

From: XXXXXXX <[Redacted]@protonmail.com>
Sent: Thursday, November 21, 2024 2:02 PM
To: dispatch@[Redacted].com; AP <ap@[Redacted].com>; ar@[Redacted].com; hr@[Redacted].com; XXXispatch@[Redacted].com; XXXdiem@[Redacted].com; safety@[Redacted].com; [Specific Employee] <[Redacted]@[Redacted].com>
Subject: [Leadership Name]'s Disruptive Changes This Is Not XXXX!

This has to stop! [Leadership Name] is not only taking away your health insurance, but now they're also targeting your raises. They manipulated the review process to ensure that only their allies review each other, while others are left behind. I’ve seen their proposals for next year, and they’re incredibly concerning.

Starting in February 2025, [Leadership Name] plans to cut vacation days. Additionally, they’ve been in discussions with IT to ensure that personal cell phones won’t work in company offices, meaning you won’t even be able to use your phone to contact your family in an emergency.

This is NOT the [REDACTED] way, and it’s certainly not how the elite operate. We need to take action now and remove [Leadership Name] from power before their actions cause more harm to the team.

Let’s unite and demand change.

WHAT DID THE IT SECURITY TEAM DO:

1. Block both Proton domains from sending to anyone in the company
2. Trace the Emails in O365 to see if anyone forwarded an internal message to Proton
3. Ran a report on the Zorus Web DNS to see if anyone went to Proton on the company network
4. Review Meraki Firewall logs
5. Reviewing needs over risk to have the distribution lists open to external senders
   
   

WHAT DID WE FIND & LEARN:

1. In the DNS we found the exact user and time when they went to Proton.me
2. Proton.me does not respond unless directed by Swiss courts
3. Even blocking the domain anyone can send damaging emails via free or other hidden email services (Gmail)
4. Email Headers are not available with Proton email since encrypted
5. If someone is irreplaceable they may keep their job
   
   

CLOSING OPINION:

I have seen several companies harassed with these types of emails.  The disgruntled person hides behind an email and sends it to all anonymously.  Personally, I feel if you are this unhappy, then look for other work.  You can choose to send these types of messages directly to the person you are attacking without an audience and still have the satisfaction you were heard on your way out.  Society has Keyboard toughguys saying and attacking those they could never say face to face with no recourse.