My Office 365 account got hacked. Now What ??!!


So, you found out that one or more of your Office 365 accounts have been hacked. You are getting spam emails that appear to have been sent by some internal users, or getting random authentication requests / password change notification when you know you did not generate any.

You need to act fast. 

Time is the enemy ... The world is conspiring ... The damage could be irreversible ... It's a battle of wits.

Drama aside, the action plan should be to 
(1) Assess the damage
(2) Take corrective actions
(3) Clean up 
(4) Update your security setup to prevent future issues.

Here’s some steps you should take to get it back in check:

Assess:
  • Check the Sent or Deleted Items folders for the hacked to look for emails gone out to unidentified recipients.
  • In many cases the attacker will delete the emails after sending, so run message trace to check extent of such emails sent out.
  • Check for devices linked to the user’s mailbox. Remove any unknown devices.
  • Scan for any delegates or forwarding rules added by the attacker. (see details below - [1]).
  • Hope the audit logging and exchange mailbox auditing is enabled on your tenant. Check the audit logs to scan suspicious user or admin activities (for e.g. check user mailbox sign-in activities and see if any suspicious events from unknown IP addresses is found).
  • Any other service that used this Exchange account as its alternative email account may have been compromised as well. Create a list of any such services.

Fix: 
  • Ask impacted users to change passwords. Keep a strong password. Do not reuse last password or a set pattern from the past.
  • Change all O365 admin passwords. Keep a strong password. Do not reuse last password or a set pattern from the past.
  • Check contact details for impacted users and admin accounts and make sure it’s not pointing to known emails / phone numbers.
  • Enable MFA for impacted accounts and admin accounts. If you were already using MFA, remove the app passwords from all connected devices and force user to set up MFA again. Leverage conditional access if possible to minimise productivity impact while keeping the identities secure.
  • Remove any suspicious delegates / forwarding rules found during assessment.
  • Change password of connected services identified during assessment.
  • Remove forwarding rules, auto-replies. anything that sends details to outside users.
  • If the audit logging / mailbox auditing was not enabled, do it now..
  • Scan and clean the computer these users use.
  • Run Windows update to ensure they have all security patches.
  • Remove any forwardingSMTPAddress set up by the users or admin for all mailboxes.

Clean up
  • Inform people on your contacts list that your account was compromised. The attacker may have sent unwanted emails – for e.g. asking someone for money.
  • If there is an govt authority that you can report this attack to, please do so that the attacker domain is blacklisted.
  • Identify the attacker domain’s registrar details and file a report with them.
  • Educate users about basic safety procedure (for e.g. checking target url for the links received in emails).
Secure
  • Protect your identities - In the modern always-connected cloud-served world, identity is your most valued asset. Think about how you want to provision (hint: SSO as much as possible) and secure them (hint: See identity protection features of Azure AD here)
  • Protect your devices and infrastructure - If your endpoints are secured and monitored, the bad actors have smaller attack surface and less time to cause damage. Details.
  • Monitor and control the content usage - after all, the identities are hacked to get to the content. Keep sensitive content secure with stricter policies. Apply conditional access policies to ensure content is served only under right conditions.



 [1] - Available Scripts
There's ready PowerShell scripts available to help to assess and rectify some of the above.  Look here

The two key ones to note are DumpDelegatesandForwardingRules.ps1 and RemediateBreachedAccount.ps1.

All the best !!



Comments

Post a Comment

Popular posts from this blog

Microsoft Cyber Security Architecture (HL)

Image
Microsoft Cyber Security Architecture Microsoft security products offer great functionality and value, and are considered best-in-class by many standards, It covers the breadth of enterprise security needs and provide deep level of security across all domains. This high level article is meant to help understand how the different solutions in M365 and Azure security stack fit together. Download the High Level Architecture PDF Naming convention If you found some of our solution names a bit hard to follow in the past, your definitely weren't alone. All that is set to change, with the recent rename of our cybersecurity solutions in an attempt to simplify the naming scheme and classify under common broader nomenclature. With recent rename, these products also follow a simpler naming scheme. Here are the key principles to keep in mind: All security solutions fall under Defender umbrella with 'Defender for [workload]' naming convention (For instance, Defender for Identity, D...
Read more

Zero Trust Summary

Image
Zero Trust Summary Zero Trust Mindset Zero trust mindset revolves adaptive security policies that embraces the constantly changing work environment requirements and risk profile, and creates policies to always verify based on most latest available information. Very broadly speaking it involves: Provide only sufficient permissions for the job. Instead of believing everything behind corporate firewall is safe, starting with assumption that the request is coming from unsafe conditions and then find reason to trust. Constantly monitoring and creating policies to assess and audit all crucial aspects of security setup. What does it need It's a great concept and a north-star to work towards, however organisations need to approach the implementation of required security policies with proper planning. We need to ensure that various foundational elements of our enterprise are: (1) connected, (2) constantly monitored and (3) contribute towards access and compliance decision-making. ...
Read more