How we brought security awareness through the company with automation of open source tools and a Swedish (Phishing) fika

Daniel Wellington is a Swedish fashion brand founded in 2011. Since its inception, it has sold over 11 million watches and established itself as one of the fastest growing and most beloved brands in the industry.

We are heavily built upon open source and part of our tech way of working is to contribute back to the community if it is good for the big audience and not something that makes us competitive. One amongst many open source projects we use is GoPhish, deployed in AWS to conduct internal phishing campaigns.

We are sharing the the backend parts we have built in Python for campaign automation and Power Automate to handle user training reminders, escalation and account disable. We have also built a plugin in Office365 Outlook/OWA to report phishing built with NodeJS to flag in GoPhish if user spotted the campaign. The same plugin will also create a support case with all the needed email headers to speed up investigation if it is not an internal phishing campaign.

To minimize any successful attempts during the years, we have been running internal communication campaigns. This also includes security awareness such as phishing in our on-boarding program and we have also had a global Phishing fika (yes, we are a Swedish company!). The fika contained a short presentation about phishing and we had a “Fiskedamm” (Fishpond), a typical Swedish activity during kids birthdays but with a twist.

“Fiskedamm”, you use a fishing rod to fish and you get candy but in our case you would also get a phishing attempt that our SecOps seen and candy. Normally during kids birthdays you only get candy.

Since 2019 we have been conducting phishing campaigns towards 2200+ employees and connecting that to a quiz when the user fails, this is done to minimize any risk to get phished but not everyone was completing the quiz and we had a hard time follow up. On our scale we also frequently got blocked by Google Safe browsing, that is good but in our case when our employee actually clicks on our own phishing mail we want them to see how many would actually give out there credentials to our fake login webpage.

Our orchestration is also built to not get blocked by Google Safe browsing, by creating multiple load balancers and split employees between them during Phishing campaigns. With the AWS ELB we get https, dynamic generated dns and new ip’s out of the box without complicating things. When the campaign is over, we delete the ELB.

In Power Automate, we have setup a incoming webhook for the outgoing GoPhish webhook and we verify the signature. When we have the event, we take that forward. If the user was phished (when credentials are submitted) we add them to a training quiz, if it is the third time we add them to a in-depth training quiz and if they reported the mail we give them a high five!.

The GoPhish outgoing webhook starts the automation inside off Office365 through Power Automate.

When the user get phished and fills in there credentials, they get the following message on Microsoft teams and a similar e-mail to complete the training.

The automation also handles the reminders by Microsoft teams messages & mails. After two reminders it cc’s the manager and after two more reminders we cc the manager of the manager, that actually get the employee to complete the training really fast. If the training is not completed after six reminders, we create a ticket to disable the account until it is done. You can read more about the implementation here.

The user gets the following message on Microsoft teams when they report a phishing mail send from GoPhish.

Our experience when you start doing phishing campaigns at our scale is that Google safe browsing from your end-user starts picking up signals and blocking your domains in the dominant browsers out there (chrome, Firefox and safari). We could not send 250 mails per week without risking getting blocked, this was by creating new load balancers and grouping with 250 and mapping the landing page to a specific load balancer. As each load balancer in AWS gets a dynamic generated domain and new ip we get around the risk of getting blocked and now we run 5 campaigns in parallel per three weeks and that can be scaled up without any problems, the ELB are removed when the campaigns are over.

We built a python script to be able to take a csv file that will be divided in X amounts of groups of 250–300 with their own load balancer that will kick off the send out spread out over a week and a week more to wait for end users to read the mails (and potentially click on the link). You can find it here.

If you are looking for an powershell script that will export users from Active directory to a csv format that is compatible with GoPhish and upload to AWS S3, look no more, get it from here.

Besides that, we also created a phishing reporter, when the user suspects that something is fishy with an email. If it is part of our phishing campaigns, we automatically flag that mail as reported in GoPhish and collect statistics on that. Before the plugin, we manually counted each report to our support. If the mail is not part of our phishing campaign, the plugin extracts the raw mail including headers (yes, so we do not need to ask the user for that!) and it willd send a mail to our support team with the details. The Outlook / OWA plugin can be found here.

Since we implemented this automation we have seen a drastic change in how many that completes the quiz and we are also at the same time saving time for handling reports and follow manually.

We hope that the security community that uses GoPhish will benefit out of this contribution and bring up the security awareness across organizations.

Do you want to know more about how it is to work with technology at Daniel Wellington? Take a few minutes to watch the video and if you are open to new challenges, check out our open tech positions.