Your Office 365 account HAS BEEN compromised or hacked. What’s next?
One of the most common security support requests from our customers is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.
So, that happened… One or another way your credentials leaked outside of your organizations and Bad Actor(s)1 gained access to your account. Maybe you clicked on the link in the phishing email and typed in your login and password on the legitimate-looking phishing website. Or someone stole your notebook which was not protected with the password and Bitlocker encryption or something else happened…
Now expect the worst – Bad Actor(s) downloaded a copy of your mailbox with all your emails, contacts, attachments, calendar items, tasks, etc. Also, they have all your OneDrive for Business documents and documents shared with you and documents and information that they can access using your account permissions in your company infrastructure. This information could be stored indefinitely and used against you at any time.
Depending on what Bad Actor(s) see in your mailbox, inside your documents and your organization’s systems they may treat your account differently. The best outcome is when they don’t see any opportunity to steal money or information and they use your account to spread laterally2 INSIDE and OUTSIDE of your organization. They start sending hundreds of phishing emails to your contact using your name and your account gets blocked by Office 365 protection mechanisms and that’s it. The worst outcome is when Bad Actors see some potential to steal something and they hide and wait and learn how you and your organization operates over the long-time often measured in months. During that time they don’t make any obvious and noticeable changes or actions but gather information and try to spread laterally INSIDE your organization to get access to other user accounts, systems, and services that will help them achieve their bad goals.
So, what’s next?
- Block the user from signing in.
- Contact your CSP and let them know about what happened. We at IT Partner provide a free 24/7 Security Incident Response service for all our clients who purchase Office 365 subscriptions through us. If you are not our client – please call anyway, we would be happy to help.
- Try to understand the intentions of the Bad Actor(s).
- Study your Office 365 sign-in logs and security reports. What services they accessed? For how long? Using what devices? From what locations? Start with AAD sign-ins log.
- Did they send any emails? To whom? How many? Go to the Exchange Online Admin Panel, click “Message flow”, then select “Message Trace” tab. While in EXO Admin Center, also check Transport Rules and Connectors tabs.
- Did they create any personal email rules?
- Did they set up an email forwarding outside your organization?
- Did they manage to install anything on your devices?
- If you have CAS subscription you would be able to see each and every action of the user, every single accessed file for up to 6 months after the incident.
- Delete the Inbox email rules not created by the user. Criminals often create rules to delete all or portion of the incoming email to slow down the incident response actions.
- Inform your colleagues inside or outside of your organization about what happened if Bad Actor(s) sent a phishing email to them.
- Remove a user from the Restricted Users portal, if needed.
- Install all the updates for Windows OS and Office Suite.
- Make sure you have Windows OS Firewall feature enabled and properly configured.
- Check the recovery email address and phone number associated with the user account
- Enable and Enforce MFA (Multi-Factor Authentication) for this user. MFA is a single most-efficient protection from all the attacks based on phishing techniques. It must be enabled at all times for all the users in your organization. We recommend setting up a Baseline Security Policy OR enabling the Security Defaults for your AAD tenant.
- Disable the IMAP protocol for all your mailboxes. IMAP is often used for Password Spray3 attacks which are practically undetectable.
- Reset user password and unlock the account.
- Educate your users.
- OPTIONAL: Think about adding the Cloud App Security subscription to all or some of your users.
- OPTIONAL: Think about subscribing all or some of your users to Office 365 Advanced Threat Protection Plan 1.
- OPTIONAL: Think about your historic emails and documents that are now in Bad Actor(s) disposal. What they can find there? Can you make any proactive steps to prevent them from using that information?
Again, we strongly recommend to set MFA authentification fol all users and follow all other prioritized security-related recommendations provided by Microsoft Secure Score service, which is a free service provided by Microsoft as part of your Office 365 subscription.
These instructions above will help you take immediate action to recover from that incident. Unfortunately, you will not be able to delete and revoke the messages sent from your account under your name or prevent Bad Actor(s) from using the information they stole. But with the right combination of user training, internal anti-phishing mail flow rules, MFA and spam protection you can easily prevent such account compromises in the future.
IT Partner is always ready to help you build a safe and secure environment and protect your sensitive data.
1 Bad Actor – A cybersecurity adversary that is interested in attacking information technology systems.
2 Lateral movement refers to techniques cyber attackers use to progressively move through a network, searching for targeted key data and assets.
3 Password spraying is the attack method that takes a large number of usernames (millions) and loops them with a single password. Bad Actors can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users with multiple passwords.