Office 365 Hack
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
A Basic Timeline of the Exchange Mass-Hack. I’ve been devastated by Microsoft Outlook because I brought a laptop that came with a free year subscription to Office 365. I got a fake alert.
Summary Learn how to recognize and respond to a compromised email account in Microsoft 365.
What is a Compromised Email Account in Microsoft 365?
Access to Microsoft 365 mailboxes, data and other services, is controlled by using credentials, for example a user name and password or PIN. When someone other than the intended user steals those credentials, the stolen credentials are considered to be compromised. With them the attacker can sign in as the original user and perform illicit actions.
Using the stolen credentials, the attacker can access the user's Microsoft 365 mailbox, SharePoint folders, or files in the user's OneDrive. One action commonly seen is the attacker sending emails as the original user to recipients both inside and outside of the organization. When the attacker emails data to external recipients, this is called data exfiltration.
Symptoms of a Compromised Microsoft Email Account
Users might notice and report unusual activity in their Microsoft 365 mailboxes. Here are some common symptoms:
- Microsoft Office 365: Change these settings or risk getting hacked, warns US govt. Don't forget these configurations when moving to Office 365 in the cloud, says Department of Homeland Security's.
- Ultimately, you want to learn ways to maximize functionality to increase efficiency. Well, that's exactly what Office 365 is built to do! Get Started Now With Top Office 365 Productivity Hacks: Hack #1: Share a Document from a Desktop Application. Let’s begin by checking out quick and easy ways to share.
- Security company Malwarebytes suspects a breach of its Office 365 and Azure tenancies is by the same attacker behind the SolarWinds hack, but reckons flaws in Azure Active Directory security are also to blame.
- The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
- Suspicious activity, such as missing or deleted emails.
- Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
- The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.
- The user's display name might be changed in the Global Address List.
- The user's mailbox is blocked from sending email.
- The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as 'I'm stuck in London, send money.'
- Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
- Unusual credential changes, such as multiple password changes are required.
- Mail forwarding was recently added.
- An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.
If a user reports any of the above symptoms, you should perform further investigation. The Microsoft 365 Defender and the Azure portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.
Unified audit logs in the Microsoft 365 Defender portal: Review all the activities for the suspected account by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date. Do not filter on the activities during the search.
Admin Audit logs in the EAC: In Exchange Online, you can use the Exchange admin center (EAC) to search for and view entries in the administrator audit log. The administrator audit log records specific actions, based on Exchange Online PowerShell cmdlets, performed by administrators, and users who have been assigned administrative privileges. Entries in the administrator audit log provide you with information about what cmdlet was run, which parameters were used, who ran the cmdlet, and what objects were affected.
Azure AD Sign-in logs and other risk reports in the Azure AD portal: Examine the values in these columns:
- Review IP address
- sign-in locations
- sign-in times
- sign-in success or failure
How to secure and restore email function to a suspected compromised Microsoft 365 account and mailbox
Even after you've regained access to your account, the attacker may have added back-door entries that enable the attacker to resume control of the account.
You must do all the following steps to regain access to your account the sooner the better to make sure that the hijacker doesn't resume control your account. These steps help you remove any back-door entries that the hijacker may have added to your account. After you do these steps, we recommend that you run a virus scan to make sure that your computer isn't compromised.
Step 1 Reset the user's password
Follow the procedures in Reset a business password for someone.
Do not send the new password to the intended user through email as the attacker still has access to the mailbox at this point.
Make sure that the password is strong and that it contains upper and lowercase letters, at least one number, and at least one special character.
Don't reuse any of your last five passwords. Even though the password history requirement lets you reuse a more recent password, you should select something that the attacker can't guess.
If your on-premises identity is federated with Microsoft 365, you must change your password on-premises, and then you must notify your administrator of the compromise.
Be sure to update app passwords. App passwords aren't automatically revoked when a user account password reset. The user should delete existing app passwords and create new ones. For instructions, see Create and delete app passwords from the Additional security verification page.
We highly recommended that you enable Multi-Factor Authentication (MFA) in order to prevent compromise, especially for accounts with administrative privileges. To learn more about MFA, go to Set up multi-factor authentication.
Step 2 Remove suspicious email forwarding addresses
Open the Microsoft 365 admin center at https://admin.microsoft.com.
Go to Users > Active users. Find the user account in question, and select the user (row) without selecting the checkbox.
In the details flyout that appears, select the Mail tab.
If the value in the Email forwarding section is Applied, click Manage email forwarding. In the Manage email forwarding flyout that appears, clear Forward all email sent to this mailbox, and then click Save changes.
Step 3 Disable any suspicious inbox rules
Sign in to the user's mailbox using Outlook on the web.
Click on the gear icon and click Mail.
Click Inbox and sweep rules and review the rules.
Disable or delete suspicious rules.
Step 4 Unblock the user from sending mail
If the suspected compromised mailbox was used illicitly to send spam email, it is likely that the mailbox has been blocked from sending mail.
To unblock a mailbox from sending mail, follow the procedures in Removing a user from the Restricted Users portal after sending spam email.
Step 5 Optional: Block the user account from signing-in
You can block the suspected compromised account from signing-in until you believe it is safe to re-enable access.
Open the Microsoft 365 admin center at https://admin.microsoft.com and go to Users > Active users.
Find and select the user account, click , and then select Edit sign-in status.
On the Block sign-in pane that appears, select Block this user from signing in, and then click Save changes.
Open the Exchange admin center (EAC) at https://admin.exchange.microsoft.com, and go to Recipients > Mailboxes.
Find and select the user. Update windows 7 to windows 10 2020. In the mailbox details flyout that opens, do the following steps:
- In the Email apps section, block all of the available settings by moving the toggle to the right :
- Outlook on the web
- Outlook desktop (MAPI)
- Exchange Web Services
- Mobile (Exchange ActiveSync)
When you're finished, click Save and then click Close.
- In the Email apps section, block all of the available settings by moving the toggle to the right :
Step 6 Optional: Remove the suspected compromised account from all administrative role groups
Administrative role group membership can be restored after the account has been secured.
Open the Microsoft 365 admin center at https://admin.microsoft.com with a global administrator account and do the following steps:
- Go to Users > Active users.
- Find and select the user account, click , and then select Manage roles.
- Remove any administrative roles that are assigned to the account. When you're finished, click Save changes.
Open the Microsoft 365 Defender portal at https://security.microsoft.com and do the following steps:
- Go to Permissions & roles > Email & collaboration roles > Roles.
- On the Permissions page, select each role group in the list and look for the user account in the Members section of the details flyout that appears. If the role group contains the user account, do the following steps:
In the Members section, click Edit.
On the Editing Choose members flyout that appears, click Edit.
On the Choose members flyout that appears, click Remove.
In the flyout that appears, select the user account, and then click Remove.
When you're finished, click Done, Save, and then Close.
Open the EAC at https://admin.exchange.microsoft.com and do the following steps:
- Select Roles > Admin roles.
- On the Admin roles page, manually select each role group, and in the details pane, select the Assigned tab to verify the user accounts. If the role group contains the user account, do the following steps:
Select the user account.
Click the .
When you're finished, click Save.
Step 7 Optional: Additional precautionary steps
Office 365 Hacking
Make sure that you verify your sent items. You may have to inform people on your contacts list that your account was compromised. The attacker may have asked them for money, spoofing, for example, that you were stranded in a different country and needed money, or the attacker may send them a virus to also hijack their computers.
Any other service that used this Exchange account as its alternative email account may have been compromised. First, do these steps for your Microsoft 365 subscription, and then do these steps for your other accounts.
Make sure that your contact information, such as telephone numbers and addresses, is correct.
Secure Microsoft 365 like a cybersecurity pro
Your Microsoft 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the Microsoft 365 security roadmap - Top priorities for the first 30 days, 90 days, and beyond to implement Microsoft recommended best practices for securing your Microsoft 365 tenant.
- Tasks to accomplish in the first 30 days. These have immediate affect and are low-impact to your users.
- Tasks to accomplish in 90 days. These take a bit more time to plan and implement but greatly improve your security posture.
- Beyond 90 days. These enhancements build in your first 90 days work.
- To report spam email directly to Microsoft and your admin Use the Report Message add-in
Sophisticated and coordinated hackers are constantly adapting and using innovative techniques to gain unauthorized access to corporate data. Recently, 48 Office 365 customers experienced exactly this kind of threat where an attacker implemented a new strategy to try to access high-level information.
The brute force login attack was unique in that it was directed against a few key targets across multiple companies instead of casting a wider net against as many users as possible. There were 100,000 failed-login attempts originating from 67 IPs and 12 networks over a period of nearly 7 months.
This “slow and low” strategy was designed to avoid detection by the cloud service provider (in this case, Microsoft).
The other aspect that stood out was that it was a cloud-to-cloud attack where the hackers used the infrastructure of public hosting services to launch the attack on a SaaS service.
Office 365 Hackers
A New Strategy to Avoid Detection
The first step of the hackers’ plan involved acquiring corporate usernames and passwords from multiple companies that may be tied to multiple cloud services (not necessarily Office 365).
The attackers tried different email variations derived from the employee name to try to gain access to potentially sensitive information. For example, someone named Elizabeth Miller (name changed) at Company X faced a number of login attempts into her account that used addresses such as [email protected], [email protected], or [email protected]
In fact, one account fell victim to as many as 17 username variations from 14 IPs in just 4 seconds.
Although the passwords the attackers used could not be viewed in clear text, it can be inferred that they used the same password for each user for every username variation because each email was only used once to attempt the unauthorized login.
The attackers assumed that the users used the same password across multiple accounts, which would allow them to change the username but use the same password. Another assumption was that the accounts lacked basic security provisions, such as multi-factor authentication (MFA).
Detecting the Undetectable
The attackers staggered their login attempts over the course of several months. They focused on one username at a time, and even then it was only targeted for a few seconds. This, along with the use of more than one IP, was intended to avoid triggering any alerts or account lockouts.
Attacking several different customers was yet another tactic to avoid generating a pattern of behavior indicative of a threat. Lastly, the attackers only targeted a handful of high-value Office 365 accounts at each organization, knowing full well that a broader attack would be detected by either the cloud service provider or the organization under attack.
The “slow and low” strategy was carefully crafted and executed, so how was the brute force attack detected?
The first signs of the attack came about when the Cloud Access Security Broker detected multiple failed login attempt anomalies that may be associated with a compromised account. By itself, this didn’t trigger an alert warranting further investigation.
Over time and with additional failed login attempts originating from a set of IP addresses, all targeting a handful of Office 365 accounts across multiple organizations, a pattern emerged and elevated the anomalies to actual threats.
After further investigation and cross-customer analysis, over 100,000 failed logins across a multi-month period were discovered, upgrading the various threats to a full-blown brute force login attack.
What can we learn from this attack?
This attack may have been prevented for the most part had the organizations under attack enabled SSO with MFA. The takeaway point here is that it can be very difficult for organizations to fully protect themselves from sophisticated attacks targeting the cloud without having a robust cloud security infrastructure.
Organizations need to gain awareness of their cloud usage in order to mitigate the risk of a security incident in a meaningful way.
About the Author:Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.
Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.