Email hacked or phishing email

ghazhaider · 2017-08-24T12:37:51.000Z

Here is what happened with 2 of my users and I need some help in diagnosing the exact issue and see what else can be done to prevent this from happening again.

At my firm, 2 of the users email account got hacked, here is what happened.

All his personal contacts were gone.He had a rule set (which he did not setup) where all his emails were getting deleted if they were sent directly to him along with 2 more similar rules.
Many of his personal/client contacts received a phishing email from him asking him to review a document but no one from within the firm received the phishing email from him.
I checked his Office 365 settings and his emails were being forwarded to an external gmail address which he does not recognize. How come a gmail address was set in his Office 365 portal?
The 2nd user had the similar issue but the only difference was that he did not have the automatic forward setup, he had a rule that was set to delete all the emails from one particular internal contact.
The only commonality between these 2 users is that they have the same First Name.

This is what I have done so far and need some help with figuring out what else can be done.

Brought the PC offline Ran AV and MalwareBytes on both the PCs (came back clean)
Removed the rules and deleted the gmail address from automatic forward settings on Office 365.
Ran Vipre AV on both the PCs (came back with nothing)
Pushed a password reset for all of my Office 365 users.

cbates2 · 2017-08-24T12:58:02.000Z

I think you have pretty much done everything you can. By the sounds of this, their email password was simple hacked or found out. It doesnt mean their machine was infected but someone just was able to simply guess their password. Maybe it was too simple or they use that password somewhere else and in one of the 3rd party hacks that has happened everywhere, their information was stolen, and someone just simply used that same password. There are a ton of ways they could have gotten in.

The gmail address being set in his 365 portal was probably where the hacker got in and added the forwarding address to start feeding on his emails, etc.

chris0984 · 2017-08-24T13:13:06.000Z

Seems like you covered all the steps. However moving forward, I would enforce two factor authentication on all your email accounts, this will prevent them from getting compromised and keep something like this from happening again.

ghazhaider · 2017-08-24T13:17:52.000Z

Chris-

I did test the multi-factor authentication using a verification code sent to their mobile but for some reason, it kept sending them a verification code every time the user would logon to the web outlook (which is fine) but then it also kept popping up with the password window on their Outlook. It would not take the new password, not sure if it was because of the delay between Office 365 and Outlook client authentication or else.

I will have to test it again on a test user before I can push this to everyone at the firm.

chris0984 · 2017-08-24T13:22:16.000Z

Sometimes when two factor authentication is enabled, you have to create an application specific password for things like Outlook and a mobile email client. Then every time the account is accessed from the web, the user will use their normal password and then after they login they will be prompted for the PIN code.

support.microsoft.com

Microsoft Support

Microsoft support is here to help you with Microsoft products. Find how-to articles, videos, and training for Microsoft Copilot, Microsoft 365, Windows, Surface, and more.

Setup app specific passwords for things like Outlook and your phone.

steve-greenview-data · 2017-08-24T13:40:56.000Z

As you’ve indicated, phishing attacks can be deployed to get login credentials. We see a lot of these, like the prevalent https://www.spamstopshere.com/blog/fake-dropbox-email-phishing-scam-alert-april-2017 Dropbox scams that I’ve blogged about. In addition to the steps you’ve already taken, you can bolster Office 365’s email security with a 3rd party antispam solution to reduce potential exposure.

SpamStopsHere adds premium protection to Office 365. It blocks 99.5% of spam with zero-HOUR malware protection and almost no false positives. No blacklisting, whitelisting or other custom tuning is required (but it’s available for those who still want it). It also adds critical downtime protection with a Store & Forward that spools inbound mail for up to 5 days when o365 is down and automatically delivers it when your mail service is back up. 24/7 live support is included.

Check out more features and simply calculate pricing right on our website. Get 15% off the first year of service, too (promo code SPICY15OFF):

spamstopshere.com

Antispam Filter Pricing and Editions | SpamStopsHere

SpamStopsHere comes in four editions with simple pricing, FREE 30-day trial and 24/7/365 live support included. Pay monthly or yearly at a discount.

Feel free to also PM me here. You can also call, chat or email us anytime. We’re always here. 24/7/365

Steve

ghazhaider · 2017-08-25T12:05:24.000Z

Steve-

Thank you, I will look at SpamStopHere.

Haider

Jono · 2017-08-27T18:20:27.000Z

Make sure there are no forwards on the account.

When you setup MFA initially get an APP code displayed this is the passcode you use rather than the users AD password or authentication code.

If you didnt record tthe APP code you can create another

support.microsoft.com

Microsoft Support

Microsoft support is here to help you with Microsoft products. Find how-to articles, videos, and training for Microsoft Copilot, Microsoft 365, Windows, Surface, and more.