Brandywine Counselling and Community Services

On March 13, 2020, ExecuPharm, a pharmaceutical company located in King of Prussia, PA, suffered a Maze ransomware attack with theft of sensitive information. The attackers behind the Maze ransomware use manual attacks and they grab data from the breached entity before data encryption. Then they issue threats to publicize the data when the victims don’t pay the ransom demand. This is the case with this cyberattack.

The attackers have previously told the press that they won’t launch ransomware attacks on medical institutions while there’s a COVID-19 crisis. Nonetheless, it appears that pharma companies aren’t excluded from their campaigns. In this case, the data posted on the Maze web page consists of financial information, records, database backup files, and other sensitive data.

As per an announcement provided by ExecuPharm, a top-notch cybersecurity company is assisting with the investigation to know the design and magnitude of the breach. The firm had submitted the breach report to the authorities and all affected persons received notifications.

Aside from company data, the attackers accessed and downloaded the personal data of workers. That data is composed of financial data, Social Security numbers, driver licenses, passport numbers, bank account details, credit card numbers, IBAN/SWIFT numbers, national insurance numbers, beneficiary details, and other sensitive data. The attackers additionally stole certain information related to its parent company, Parexel. People affected by the breach were provided complimentary one-year identity theft monitoring services.

The company used backups to recover its servers. As soon as systems were recovered, all data were restored from backups at the same time. Options are similarly being integrated to improve its security against attacks. The company set up multi-factor authentication for remote links, recognition and response forensics solutions on all systems and endpoint security. Email security procedures were similarly boosted to hold off ransomware emails.

Ransomware Attack on Brandywine Counselling and Community Services

Brandywine Counselling and Community Services located in Delaware also just lately had a ransomware attack.

Brandywine discovered the attack on February 10, 2020 and hired a computer forensic company to assist with the investigation. The investigation confirmed that servers affected by the attack held certain client data which was obtained by the attackers.

The breach report indicating 4,262 persons were affected was submitted to the HHS’ Office for Civil Rights. The stolen information included the names of clients, addresses, birth dates, and/or limited clinical data, like name(s) of provider, diagnosis, treatment data, and/or prescription(s), and some driver’s license numbers and Social Security numbers.

The people whose driver’s license number or Social Security number was exposed were offered free credit monitoring and identity theft protection services. More security steps were being completed to stop other ransomware attacks later on.

CISA Alerts of Continuous Cyberattacks on Pulse Secure VPNs Despite Patching

The Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) released an alert to all businesses that utilize Pulse Secure VPN servers concerning the probability of not avoiding cyberattacks despite patching vulnerabilities. CISA is advised that attacks are still taking place even after implementing patches to resolve identified vulnerabilities.

CISA published an advisory roughly a year ago telling businesses to patch a vulnerability (CVE-2019-1151) discovered in Pulse Secure Virtual Private Network equipment caused by a high chance of exploitation. Numerous organizations did not implement the patch immediately, and cybercriminals took advantage.

CVE-2019-1151 is an arbitrary file reading vulnerability impacting Pulse Secure VPN machines. The vulnerability was found in the spring last year and Pulse Secure launched a patch to resolve the vulnerability last April 2019. A few advanced persistent threat gangs are noted to have taken advantage of the vulnerability and copied information and download ransomware and malware. By taking advantage of the vulnerability and thieving information, the attackers can obtain continual system access even after applying the patch, in case there was no modification in the credentials.

CISA found threat actors taking advantage of the vulnerability to download ransomware at a couple of government agencies and medical centers, even after implementing the patches.

First, cybercriminals took advantage of the vulnerability to access the network via vulnerable VPN products.

Second, the attackers could get plaintext Active Directory credentials, and used the related accounts with external remote services for access and for lateral movement.

Third, the threat actors deployed malware and ransomware and/or exfiltrated and offered for sale sensitive organization data.

The threat actors utilized Tor infrastructure and virtual private servers to limit the likelihood of detection each time they were hooked up to the victims’ VPN devices. Numerous victims were unsuccessful in identifying the compromise because their antivirus and attack detection tools did not recognize the shady remote access considering that the attackers utilized real sign-in credentials and remote services. A number of attackers employed LogMeIn and TeamViewer to make certain they had consistent access even though the principal connection was missing.

When patches are used to resolve vulnerabilities that are regarded to be actively taken advantage of in real-world attacks, companies then must perform analyses to find out if the vulnerability was already used to obtain systems access. Patching will stop threat actors from further taking advantage of the vulnerability, although when a system compromise already transpired, implementing the patch won’t get the attackers out of networks.

CISA has now designed a solution that companies can utilize to discover if the Pule Secure VPN vulnerability was already taken advantage of. The solution may be utilized to search the record files of Pulse Secure VPN servers to know when the gateway was compromised. Aside from assisting system administrators triage logs, the solution will likewise search for Indicators of Compromise (IoCs) linked to the exploitation of the Pulse Security vulnerability.

In case organizations locate proof of malicious, anomalous or suspicious action or information, they need to look into reimaging the server or workstation and redeploying back into the world. CISA advises doing assessments to assure the infection is eliminated even when the host or workstation was reimaged.

Aside from carrying out the scans, CISA advises modifying Active Directory passwords and doing a lookup for unauthorized programs, planned tasks, and any remote access applications that were set up that the IT departments didn’t agree to. Scans need to be carried out to find any remote access Trojans and any malware that could have been deployed.

A number of companies that employ VPN servers for remote access don’t use multi-factor authentication, which suggests that any ripped off credentials may be employed to get access to systems by way of the VPN gateways. Having multi-factor authentication ready, usage of stolen credentials becomes significantly more difficult, as a second factor is going to be necessary before allowing access.

Phishing Attacks on Saint Francis Ministries and Hartford Healthcare Reported

The Saint Francis Ministries health system announced that an unauthorized person gained access to the email account of an employee causing a likely exposure of patient data.

The health system identified the breach on December 19, 2019 upon identifying the suspicious activity in the employee’s email account. A third-party computer forensics agency looked into the breach and established on February 12, 2020 that there was unauthorized access of the email account from December 13, 2020 to December 20, 2019. It can’t be established whether the attacker had viewed emails that contain patient data or downloaded any email information, nevertheless, there were no reports acquired that indicate the improper use of any patient data.

An analysis of the impacted email accounts was concluded on March 24, 2020 which showed the potential breach of the following data: name, birth date, driver’s license number, state ID number, Social Security number, credit or debit card number, bank or financial account number, username and password, diagnosis, treatment data, prescription details, name of provider, Medicare/Medicaid number, medical record number, medical insurance details, and treatment cost data.

On April 12, Saint Francis Ministries began mailing breach notification letters to impacted persons. The health system additionally offered the impacted patients free credit monitoring and identity theft protection services and took action to strengthen email security to make sure that the same breaches will be averted later on.

Phishing Attack on Hartford Healthcare

Healthcare network Hartford Healthcare in Connecticut and Rhode Island encountered a phishing attack and announced it on April 13, 2020. The healthcare network identified the phishing attack on February 13, 2020 after identifying abnormal activity in two employees’ email accounts.

With the assistance of a third-party computer forensics firm, Hartford Healthcare established that the attackers gained access to the accounts between February 13 and February 14, 2020.

At least one email account had the protected health information (PHI) of some patients, including names, medical insurance data, medical record numbers, and other health-related records. The email accounts also contained the Social Security numbers of 23 patients.

Hartford Healthcare mentioned that the attack impacted 2,651 patients and notifications are being mailed right now. There were 23 people who got offers of two-year free credit monitoring and identity theft protection services due to the potential exposure of their Social Security numbers.

Kwampirs APT Group Is Still Attacking Healthcare Companies through the Supply Chain

An Advanced Persistent Threat (APT) group identified as Kwampirs, also called OrangeWorm, still attacks healthcare companies and compromise their systems with the Kwampirs Remote Access Trojan (RAT) as well as other malware payloads.

The threat gang is busy since about 2016, although activity has heightened lately with the FBI lately having passed three notifications concerning the APT group all this time in 2020. Symantec’s report in April 2019 was the earliest to document attacks on healthcare companies by way of the supply chain.

The APT group is targeting several different industries, which include healthcare, engineering, energy, and software vendor. The attacks on the healthcare community are thought to have taken place by way of the vendor software supply store and hardware goods.

According to the FBI, the attacks were really effective. The APT gang has attacked numerous hospitals across Asia, the United States and Europe, which include local hospital groups and leading transnational healthcare firms. The campaigns have involved locally contaminated appliances and enterprise malware attacks.

The APT group begins with the acquisition of access to the gadgets of victim organizations and creates an extensive and continual presence making use of the Kwampirs RAT to be able to perform computer network exploitation (CNE) campaigns. The attacks include two levels. The first includes the usage of the Kwampirs RAT to acquire broad and continual access to hospital systems which usually involves the delivery of various secondary malware payloads. The second entails adding more modules to the Kwampirs RAT to enable farther exploitation of the attacked systems. The extra modules are personalized based upon the organization which was attacked. The reports of FBI say that the attackers had the ability to sustain persistence on the attacked systems for a long time, from approximately 3 months to 3 years when they did comprehensive reconnaissance.

The APT group has targeted principal and alternative domain controllers, software development servers, engineer servers that comprise source code for software program creation, and file servers which are employed as databases for R&D information. When deployed, the Kwampirs RAT carries out day-to-day command and manipulate communications with Domains and IP addresses encoded in the malware and downloads information.

The principal goal of the APT group looks like cyber surveillance, nevertheless the FBI says that a review of the RAT pointed out various code commonalities with the Shamoon (Disttrack) wiper that was employed in the Saudi Aramco attack in 2012. Nonetheless, the FBI says that it hasn’t found the inclusion of any wiper modules in Kwampirs so far.

The FBI has given various advice and guidelines to follow to strengthen security and lessen the danger of infection. These best practices include:

  • Update software programs and operating systems and use patches
  • Use user input confirmation to minimize local and distant file inclusion vulnerabilities
  • Make use of a least-privileges guideline on the Web server to minimize the risk for escalation of privileges and pivoting sideways to other hosts, and to manage file creation and execution in certain directories.
  • Developing a demilitarized zone (DMZ) among internet-facing systems and the business network
  • Make certain all Web servers possess a protected setting and all unwanted and unused ports are deactivated or obstructed
  • Make use of a reverse proxy to minimize accessible URL paths to recognized legit ones
  • Set up a Web application firewall
  • Perform consistent virus inspections and code assessments, app fuzzing, and server network reviews
  • Perform routine system and app vulnerability verification to prepare areas of danger.

CMS Proclaims Sweeping Regulatory Adjustments Because of the Increase in COVID-19 Patients

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) announced that there is going to be some sweeping regulatory modifications and waivers to provide the most versatility to medical professionals when caring for patients throughout the COVID-19 outbreak. The latest modifications will permit healthcare providers to work as medical care delivery coordinators in their zones.

The non-permanent changes to remove constraints are supposed to establish hospitals and health systems with no walls. Consequently, hospitals and health systems will have less trouble dealing with a likely substantial increase in COVID-19 patients during the coming days.

Under standard situations, federal constraints require hospitals to deliver healthcare services inside their established facilities, however, this won’t be feasible with a rise in patient numbers. With the number of COVID-19 cases growing bigger, hospitals will subsequently fill up their capacity. If they don’t have added sites to treat patients, they are going to be overloaded.

To make certain that all patients could be given treatment and nobody is left behind, the CMS has laid-back constraints and gave interim new guidelines that would permit the giving of treatment in other areas. Numerous ambulatory surgery facilities have opted to call off elective treatments for the period of the public health emergency. Hospitals and health systems will be authorized to utilize those areas including inpatient rehabilitation hospitals, as well as hotels and dormitories, and would still be entitled to obtain a refund for services with Medicare. The new areas may be utilized to give healthcare services to non-COVID-19 patients to provide inpatient beds for COVID-19 patients that must have intensive treatment and respirators.

The CMS stated that ambulatory surgery facilities have two choices.

  • They could either agree with community healthcare systems to deliver services on behalf of the healthcare facility
  • They may enroll and charge CMS being hospitals during the public health emergency proclamation if that is not conflicting with their State’s Emergency Preparedness or Pandemic Strategy.

Healthcare companies won’t be authorized to operate beyond established plans at the community level.

To further maximize capacity, the CMS has made a waiver that will let doctor-owned medical centers to get more beds without facing penalties. Hospitals are allowed to create drive-through screening stations for COVID-19, make use of off-campus testing centers, and coverage will be granted to lab techs who have to go to a Medicare beneficiary’s residence to acquire samples to conduct COVID-19 testing. CMS is giving added reimbursement for ambulances, which are probably needed to transport patients between healthcare centers and doctor’s surgeries to make certain they acquire the necessary treatment. Medicare coverage for respiratory-linked instruments and machines has currently been prolonged to cover any health reason.

Modifications were likewise made to assist in the fast expansion of healthcare employees. These changes involve making Medicare enrollment less difficult for providers and enabling teaching hospitals to permit medical residents to offer services with the oversight of a teaching doctor. The CMS has furthermore granted a blanket waiver to enable hospitals to deliver more benefits to assist their medical personnel, including several everyday meals, laundry service for their own clothes, or child care services during the time the doctors and other workforce are at the healthcare facility offering patient care.

Transformations were additionally made to lessen the administration load on healthcare workers with the CMS giving patients more value than paperwork by removal of paperwork requirements to make sure that doctors have more hours for caring for patients.

The CMS has already said that there’s more freedom for the accessibility of telehealth services, with refunds now being given for all Medicare beneficiaries in all places. Coverage is presently included for around 80 additional services made available via telehealth, provided those services are delivered by doctors allowed to deliver telehealth services.

These latest changes and waivers are just temporary and in effect throughout the national public health emergency for COVID-19, and then the CMS will review how to fully go back to the existing system.

Solving the HIPAA Problem Using Compliancy Group’s Simple HIPAA Compliance Process

Compliance with all demands of the Health Insurance Portability and Accountability Act (HIPAA) Security, Privacy, Breach Notification, and Omnibus Rules could be a big obstacle.

A lot of healthcare providers have set up a compliance program and thought that they were HIPAA-compliant, but they discover through a compliance review or HIPAA audit that they are not complying with a number of HIPAA provisions. Those errors could turn out to be really high pricey.

Compliance problems could quickly result in a data breach or can prompt the filing of a complaint with the Department of Health and Human Services’ Office for Civil Rights (OCR), which is the principal enforcer of HIPAA compliance.

OCR looks into submitted complaints and reported data breaches to ascertain if a healthcare organization has violated HIPAA Rules. It performs compliance audits to evaluate compliance of HIPAA covered entities and business associates of covered entities with all facets of HIPAA regulations.

OCR has increased its HIPAA compliance enforcement activities in recent years. In 2018, OCR charged covered entities and business associates with $28,683,400 in financial penalties in relation to 11 enforcement actions. In 2019, OCR issued financial penalties for 10 compliance investigations.

Resolving HIPAA Compliance Problems

Compliancy Group is aware of the great importance of HIPAA compliance and the challenges encountered by HIPAA-covered entities and business associates when attempting to employ and retain an efficient compliance program.

To make the HIPAA compliance process simpler, Compliancy Group has designed a software program that leads entities throughout the compliance process. The software program called The Guard streamlines all the things that an organization must do to accomplish HIPAA compliance, minimize risk, and avert penalties.

The Compliancy Group is hosting webinars from time to time to demonstrate the simplicity of using The Guard for completing the HIPAA compliance process.

With the help of Compliancy Group’s webinar and their compliance coaches, covered entities and business associates can realize compliance and meet all federal requirements. Find out more about the webinars being hosted by the Compliancy Group on this page.

Law Agency Files Class Action Lawsuit For Overcharging for Copy of Patient’s Health Records

A law business is filing a legal case against Medical Records Online (MRO), a healthcare release-of-information solution provider, for charging an overpriced fee on law businesses and insurance providers when furnishing digital copies of patients’ medical records.

Cipriani & Werner of Pittsburgh filed the legal case in federal court in Camden, NJ. The lawsuit pertains to MRO charges for furnishing a copy of a patient’s health records meant for a personal injury case against the store Kohl’s, which the law agency represents.

Cipriani & Werner procured the medical records of the plaintiff in the lawsuit from John F. Kennedy Medical Center, located in Edison, NJ. The MRO billed $528 for 518 pages of medical records of the plaintiff. The law agency was billed a $10 search fee and $1 per page, despite the fact the data was furnished digitally as a PDF file.

Cipriani & Werner states MRO violated the New Jersey Declaratory Judgement Act when it billed unlawful fees well over the highest limit. Other claims made include:

  • a claim under the New Jersey Consumer Fraud Act with respect to unconscionable commercial practices
  • for a breach of New Jersey common law
  • for a breach of contract for breaking the implied contract of good faith and fair dealing

The New Jersey Administrative Code permits a $10 search fee to be demanded for providing copies of medical data to third parties, a fee of $1 per page, and the actual charge of postage and media for distributing the records (e.g. a compact disc). Cipriani & Werner comments the bill should have only included a $10 search fee and there should be no per-page cost considering that the information was not printed.

The lawsuit claims that irrespective of whether MRO was furnishing copies of merely a number of pages of information or hundreds of pages, the cost to MRO of replicating electronically stored data and sending them to the client took an identical amount of time and work. Cipriani & Werner mentioned the overall process took only 5 minutes.

The Schnader Harrison Segal & Lewis law agency of Cherry Hill, NJ that represents MRO states that the service charge was absolutely legal and was according to state polices.

The lawsuit refers to a 2015 memorandum from the New Jersey State Department which disallows health record providers from asking for per-page fees for electronically transmitted copies of medical records and for per-page rates to be placed when records are provided to purchasers by means of computer equipment. Nonetheless, in this lawsuit, the state department memo is not applicable because the department of Health in New Jersey has no authority over MRO and the memo didn’t proceed through official rule-making steps in the State of New Jersey.

The class members are mostly legal professionals and insurance firms who ordered copies of electronic medical data from MRO from September 2015 up to February 2020, who were, in the same way, asked to pay for electronic copies of health records in civil cases. The lawsuit merely names MRO, not any healthcare organization that uses MRO for taking care of requests for copies of medical data.

Compliance with the New York SHIELD Act Data Security Provisions Required by March 2020

The New York Governor signed the SHIELD Act or Stop Hacks and Improve Electronic Data Security Act into law last July 2019. The New York SHIELD Act broadened the requirements of breach notification for businesses that gather the personal data of residents in New York. The data security provisions of the New York SHIELD Act became effective starting March 21, 2020.

There are businesses exempted from the requirements of the New York SHIELD Act including

  • small businesses that have less than 50 staff
  • small businesses having fewer than $3 million in gross income for the last 3 fiscal years
  • small businesses whose year-end total assets are under $5 million

With the above-mentioned businesses, their data security program may be scaled based on the size and complex nature of the business, the types of business activities, and the sensitivity of the private information obtained.

For the majority of HIPAA-covered entities, compliance is going to be quite simple. Entities that comply with the Health Insurance Portability and Accountability Act (HIPAA) are regarded as compliant with the New York SHIELD Act.

New York SHIELD Act Requirements for HIPAA Covered Entities

Compliance with HIPAA is not a guarantee that an entity is compliant with the New York SHIELD Act. Although there is a certain overlap, the coverage of the New York SHIELD Act is different from the data types covered by HIPAA. HIPAA-covered entities collecting the personal information of New York State residents must ensure compliance with the data security provisions of the SHIELD Act for those data types. See the picture below.

One good example of when the SHIELD Act is applicable and HIPAA doesn’t is for IT systems that store employee information but not protected health information (PHI) like the Social Security numbers or driver’s license numbers. Though the HIPAA does not cover the information, the SHIELD Act calls for the implementation of reasonable administrative, technical, and physical safety measures to make sure of the protection of data. See the Data Security Requirements of the SHIELD Act in the image below.

National Institute of Health IT Flaws Put EHR Data in Danger

The Department of Health and Human Services’ Office of Inspector General (OIG) performed a review of the National Institutes of Health (NIH). The audit findings showed that technology management problems in the NIH digital health records system and IT systems endanger the patients’ protected health information (PHI).

NIH got $5 million in congressional appropriations in FY 2019 to supervise the NIH grant programs and procedures. Congress wants to make sure that cybersecurity controls were available to secure sensitive information and find out if NIH follows with the Federal regulations.

CliftonLarsonAllen LLP (CLA) performed the review on July 16, 2019 for OIG to figure out the efficiency of some NIH IT controls and to examine how NIH obtains, processes, retains and transfers electronic Health Records (EHR) in its Clinical Research Information System (CRIS), which included the EHRs of NIH Clinical Center patients.

NHS has around 1,300 doctors, PhD researchers and dentists, 830 nurses, and approximately 730 allied healthcare specialists. In 2018, the Clinical Center had greater than 9,700 new patients, more than 4,500 inpatient admissions, and above 95,000 outpatient consultations.

CLA discovered that NIH had employed controls to make certain the integrity, availability and confidentiality of health information included in its EHR and data systems, nevertheless, those measures didn’t work properly. Subsequently, unauthorized people may have accessed the information in their EHR system and information systems. Data was at stake of impermissible disclosure, changes, and disruption.

The National Institute of Standards and Technology (NIST) suggests basic and substitute EHR processing websites ought to be separate by area. The geographical separation lowers the threat of accidental disruptions and helps to make certain vital operations could be gained back when lengthy interruptions take place. OIG identified the principal and substitute sites were established in nearby buildings in the NIH campus. When a tragic event had transpired, there was a high probability of the two websites being impacted.

The hardware employed for the EHR system was possibly reaching the end of life or was on lengthened support. Four servers were using a Windows operating system which Microsoft doesn’t support ever since 2015. NIH paid for longer support up to January 2020, nevertheless, OIG learned there was no reliable transition package. OIG likewise learned that NIH wasn’t deactivating user accounts quickly upon the end of the contract of staff members or leaving NIH. Of 26 user accounts that had been non-active for over 365 days, 19 weren’t deactivated. Of the 61 terminated user accounts, 9 remain active. Of the 25 new CRIS users, 3 had modified their permissions without completing a form to complete the alteration.

NIH advised CLA that it had postponed software updates until the finalization of system enhancements. NIH was updating its hardware while in the fieldwork, improvements to CRIS is expected. Software changes were scheduled to be carried out after the finalization of the hardware update.

NIH had employed a programmed tool to search for non-active accounts and erase them, however, the tool wasn’t totally employed during fieldwork. There were concerns with the tool, for instance, problems following persons who switched departments.

OIG advised employing a substitute processing website in a geographically specific place and to do something to offset risks linked with the existing substitute website until the new website is set up. Policies and procedures ought to be executed to make certain that software is enhanced before the end of life, and NIH has to make certain that its automatic tool is performing as designed. NIH agreed with all advice and has detailed the things that were and will be done to ensure the execution of the advice.

New Report Shows the Brands Most Impersonated by Phishers

The new Vade Secure report revealed the top 25 frequently impersonated brand names in phishing attacks. The Q4 of 2019 Phishers’ Favorite report confirmed that PayPal continues to be the most often impersonated brand in phishing attacks, having 11,392 recognized phishing URLs in Q4. For two consecutive quarters, PayPal is number one on the list. Detection of PayPal phishing URLs increased 23% year-over-year and the rate of detecting new PayPal phishing URLs is 124 per day.

There was an increase in detecting phishing URLs imitating Facebook. The social media giant jumped to second while Microsoft is 3rd and Netflix is 4th. Facebook phishing URL detections went up by 358.8% in Q4 of 2018.

Though Microsoft is in third place overall, it is the most often impersonated brand in company phishing attacks. Microsoft currently has more than 200 million active Office 365 business users who are targeted by hackers to obtain their Office 365 credentials. Office 365 accounts may consist of loads of sensitive information and may be used to carry out spear-phishing attacks on partners and other staff within the organization.

A very visible change in Q4 was a substantial increase in phishing URLs impersonating WhatsApp, which made the Microsoft-operated instant messaging service to jump to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3 of 2019.

Because of the WhatsApp phishing URL detections, the percentage of phishing URLs for social media companies went up from 13.1% in Q3 to 24.1% in Q4. The brands completing the top ten were Bank of America (6th position), followed by CIBC (7th), Desjardins (8th), Apple (9th), and Amazon (10th). There was additionally a big increase in phishing URLs impersonating Instagram, which grew by 187.1% in Q4.

Organizations in the financial services were the most often impersonated in Q4 for the second successive quarter. Although phishers do impersonate big banking institutions, Vade Secure remarks that phishers are nowadays favoring smaller financial establishments, which may not have strong security controls in place to spot brand impersonation.

Vade Secure states that phishing attacks impersonating note services like OneNote and Evernote markedly increased, besides the increase in phony OneDrive and SharePoint notifications that direct to websites hosting phishing kits.