MS Outlook email hacked/spoofed

spiceuser-bfckz · 2019-09-05T21:39:53.000Z

Hello,

We’re a law firm and subscribe to Office 365. Today we found out that a client of ours was sent an email from my email address (spoofed?) that asked the client to send a wire transfer payment to an unknown bank account. What’s strange is that I can see my original message in my sent items, and that message doesn’t contain the wire transfer request. I had the client send a copy of that email back to me and it’s almost the identical email that I sent him but it was changed slightly and had the wire transfer request information added into my original email. The version of that email that the client received isn’t in my sent items. I started doing some digging and found that a rule had been created that would move messages from that client (and some others) into the ‘rss feeds’ folder.

I need to lock things down immediately and don’t really know where to begin. I started by changing the user passwords and enabling MFA. We haven’t been running any antivirus/security software other than MS Defender, which security suite would you recommend and other first steps to shut this down.

dimforest · 2019-09-05T22:03:53.000Z

Honestly, this is becoming a more common “attack” and typically just changing the password on the affected account resolves the issue. Sounds like you did a lot more as well, so you should be good to go.

Beyond everything you’ve done, I’d request that everybody else on your 365 tenant account reset their passwords too. I’d also maybe look into something like Mimecast for filtering out some of the crap and/or end-user training like KnowBe4.

You did pretty well responding, though. Good job.

ajb2000 · 2019-09-05T22:10:12.000Z

I would also recommend changing passwords for other online accounts on the computer and on bank accounts too. You have no idea what other accounts have been compromised on the computer.

I would also think about a disclaimer to your emails that you never request “change of bank details” via email request, or require direct confirmation for any “change of bank details”. Then I would think about a re-education process for staff and businesses you deal with on what to look out for and what to double check directly before agreeing to. The aim is to have a closed loop that staff must follow.

da-schmoo · 2019-09-05T22:27:53.000Z

Step up user training. These things are almost always a result of a user falling for a phishing scam and freely giving away their credentials.

MFA is going to stop this crap as far as O365 services go but you need to consider what other online services/banks/vendors/whatever your users may use the same credentials on as they probably will give 'em up again.

spiceuser-bfckz · 2019-09-05T23:14:32.000Z

Great, thanks everyone. Quick question about MFA, since when the user signs in it asks them what phone number they want to receive the MFA security code on, what’s to stop a hacker from using their own phone number? Is there a way that as the admin I can set their security contact method instead of them being prompted for it?

Also, whats the best security suite add-on that you would recommend, just to be sure.

michaelmtallman · 2019-09-06T00:30:41.000Z

spiceuser-bfckz:

Great, thanks everyone. Quick question about MFA, since when the user signs in it asks them what phone number they want to receive the MFA security code on, what’s to stop a hacker from using their own phone number? Is there a way that as the admin I can set their security contact method instead of them being prompted for it?

Also, whats the best security suite add-on that you would recommend, just to be sure.

A very valid question, however, you use an authenticator, such as Google Authenticator , which has the ability to register Microsoft’s 60-second codes, along with other MFA providers (such as Google, Facebook, et al), which lets you scan in the QR code provided by that service. You do NOT want to be the admin who has control of that, because if things go bad, you’re the one on the hook. Take a look at the link I provided as it has a video associated with it and is supported on Android and iOS. I use it, a lot as I have several services linked to mine (so I don’t have to have several authenticator apps).

Best add-on? I’d worry about education first - your first “add-on” is your user-base, doesn’t matter how good the suite is, the users can circumvent that by clicking on something they shouldn’t Huge +1 for @KnowBe4

Oh, good luck and welcome to Spiceworks

@stu-knowbe4 @erich-knowbe4

darren-for-cdw · 2019-09-06T00:41:42.000Z

MFA all day, every day.

Simple usernames and passwords are just not secure in today’s digital environments. User training helps tremendously, but you are still going to have a segment of user population that no matter how much training they have, will still be very susceptible to phishing attacks.

MFA, with its added layer of protection, stops 99% of these types of attacks.

Any organizations I work with, no matter what system they are using for email, I always highly suggest implementing MFA.

gregghill · 2019-09-06T01:12:51.000Z

spiceuser-bfckz:

Great, thanks everyone. Quick question about MFA, since when the user signs in it asks them what phone number they want to receive the MFA security code on, what’s to stop a hacker from using their own phone number? Is there a way that as the admin I can set their security contact method instead of them being prompted for it?

Also, whats the best security suite add-on that you would recommend, just to be sure.

I use Microsoft Authenticator app on users’ phones for the MFA prompt.

“…what’s to stop a hacker from using their own phone number?” I haven’t looked, but my guess would be that the number has to be in the Office 365 account already.

Gregg

@spiceuser-bfckz

spiceuser-x808n · 2019-09-06T04:47:19.000Z

A lot of the time if someone’s got into your account they will make a OWA inbox rule to delete all incoming mail. I’d start by looking and removing that and any forwarders they could have setup. Then get a password reset done and have your admin start a sign out everywhere request for your account. From there you just need a good password and setting up MFA a massive bonus.
I work for a CSP and we see attack’s like these not far from daily now.
Thanks.

kyleparrish · 2019-09-06T09:20:28.000Z

I would also add that you should “assume” that the attacker now has every email that was in the mailbox(es).

Considering that, every email should be reviewed for:

PII
Client Information
SSNs
Passwords
Other sensitive info

It is always surprising to see how many “goodies” we can find in mailboxes. The attacker would love this information.

If any of it is found then the safest option is to reset accounts using passwords that were found, setup SSN/credit monitoring, notify clients, etc.

dimforest · 2019-09-06T10:29:31.000Z

spiceuser-bfckz:

Great, thanks everyone. Quick question about MFA, since when the user signs in it asks them what phone number they want to receive the MFA security code on, what’s to stop a hacker from using their own phone number? Is there a way that as the admin I can set their security contact method instead of them being prompted for it?

Also, whats the best security suite add-on that you would recommend, just to be sure.

Before you start shelling out dollars for a 3rd party solution, it’s worth checking out the stuff you’re already paying for with your 365 subscription. In years past, it was sub-par and basically required you to have a 3rd party filtering service but nowadays you absolutely can get by with it. It’ll just take a bit of configuration on your part:

learn.microsoft.com

Anti-spam protection

Admins can learn about the anti-spam settings and filters that help prevent spam in Exchange Online Protection (EOP).

learn.microsoft.com

Configure spam filter policies

Admins can learn how to view, create, modify, and delete anti-spam policies in Exchange Online Protection (EOP).

Give those a shot as a starting point and start tweaking your 365 policies. Stuff like Mimecast is pricey, so you might as well try what you have first!

Also, I would definitely 100% recommend @KnowBe4 for user training and phishing tests. Between KnowBe4 and security policies, you should be squared away.

psophos · 2019-09-06T11:38:09.000Z

I started doing some digging and found that a rule had been created that would move messages from that client (and some others) into the ‘rss feeds’ folder.

Don’t forget to contact all those customers by phone and inform them of what happened.

The scumbags that hit you might have sent their phishing emails to your customers as well.

christian-trend-micro · 2019-09-06T12:45:12.000Z

Sorry to hear this happened to you, being compromised is never fun. BEC (business email compromise) is a very targeted and common type of phishing attack and honestly even with well trained employees its going to be hard to avoid 100%, there’s no silver bullet. Education is a good place to start. You can check out this free email phishing education tool for your staff : https://phishinsight.trendmicro.com/en/

As far as security suits, I strongly urge you to look into something more than just the Microsoft security. Microsoft is a great company as we all know however they are not a security company. It’s going to be base level and one of the first “protected” systems that hackers will learn to evade because so many people use O365. I suggest looking for a solution that protects your environment on

Inbound
Outbound
Internal (lateral movement)

if you really want to nip this problem in the bud.

This is a Trend Micro landing page that can give you a good idea of solutions and best practices so you can start your hunt for what fits your environment best and have something to compare to other solutions: Trend Vision One Email Security & Collaboration | Trend Micro

melissa-knowbe4 · 2019-09-06T13:23:00.000Z

dimforest:

spiceuser-bfckz:

Great, thanks everyone. Quick question about MFA, since when the user signs in it asks them what phone number they want to receive the MFA security code on, what’s to stop a hacker from using their own phone number? Is there a way that as the admin I can set their security contact method instead of them being prompted for it?

Also, whats the best security suite add-on that you would recommend, just to be sure.

Also, I would definitely 100% recommend KnowBe4 for user training and phishing tests. Between KnowBe4 and security policies, you should be squared away.

Thanks for the shoutout @dimforest ! OP, please feel free to DM me if you have any questions or would like to know more about KnowBe4!

dzee · 2019-09-06T13:46:57.000Z

Can you explain more about how the modified message the client received isn’t the one in your sent items folder? Do they have the same time stamp exactly? I’m asking how you know they’re the same message if they’re apparently different.

It sounds like someone gained access to your email (and therefore to your O365 account). Are you an O365 admin for your company? If so, you may have many other issues right now because whomever got in was able to manipulate other settings for any user or for your entire O365 account. If so, you’ll need to review carefully all users and contacts, who has Microsoft Partner access, and possibly more.

There are a few other things you can do besides changing passwords and MFA. You can lock down O365 so only parties coming from a whitelist of IPs can login. This can be a major inconvenience in terms of your own staff’s access, but obviously would limit to the extreme who can mess with your stuff. You can always turn it off again, but at least you can prevent further messing about (by outsiders, at least) until you can be comfortable you’ve checked everything out.

I’d also look into Microsoft’s Advanced Threat Protection. ATP not only protects bad stuff from coming in via email, but watches file uploads to Teams, SharePoint, and OneDrive for malware. If you don’t have that, staff who login from home or away from the office can upload malware infected stuff. This may be another vector right now if you have a compromised account for injection of additional malware onto trusted document libraries.

dennis-harrison · 2019-09-06T13:47:18.000Z

Your email account was definitely hacked. Finding the rule that moves emails to RSS Feeds or deletes them is definitely a sign of a compromised account.

CyberSecHakr is correct, you must assume that the hackers have every email in your mailbox, along with contacts and other information. Check your mailbox for logon credentials to other systems (one person I know kept their LinkedIn and other account info in Contacts, so their LinkedIn account was hacked as well.

As others have said, changed passwords, MFA, security awareness training.
Expect an increase spearphishing attacks going forward. They will use the emails from your mailbox to target you, others in your company, and customers/vendors based on emails found in your mailbox. This is where the security awareness training comes in to play.

gary89 · 2019-09-06T14:18:57.000Z

I was referred a client who had something similar happen to him, and it sounds like you’re on the right track. One thing you didn’t mention is to check to see which devices are signed into your account. In the case of my client, we could see where the attacker (who still had a computer or device registered to his account) was connecting from, and report it as suspicious to cut of the access.

I believe the page to do that can be found under My Account>Security>Sign-in activity. From here you should be able to flag which device are legitimate and which are suspicious.

The Microsoft Authenticator (iOS or Android) is a pretty good 2FA app - rather than generating a time-based one-time password it actually sends a push notification to your device where you either approve or deny it. I’d recommend that for your login verification.

sam-infosec · 2019-09-06T14:22:47.000Z

I think you’ve already gotten some great advice on how to shut this attack down, so I don’t have much to add there that hasn’t already been mentioned. As for what security tools I’d recommend, I used to use Avanan for O365 security at my old job and we loved it! Once we got our filters dialed in, we rarely saw anything get through.

I’d also like to echo the points above about investing in security awareness training! It’s going to take a lot of stress off of your security tools, and it’s a huge part in the prevention of incidents like these. If you’re looking for additional options to what’s been posted above, Infosec IQ also helps you train and prepare your organization for email-based attacks. Feel free to give it a look if you’re interested, and let me know if you have any questions!

kaietanyankowski9222 · 2019-09-06T14:45:19.000Z

We had an issue with our emails being spoofed quite often. They were spoofing emails to send inter-departmentally. People were considering them safe because they appeared to be coming from the person sitting 20 feet away from you, but had a malicious attachment or were requesting you to change your password via a link etc. We contacted Office 365 support and they were able to create a mail flow rule that if the email sent by us is not internally generated that it gets flagged as junk. This has resolved a lot of the spoofing issues for us and may be something to look into. Might not solve your situation but could be good for the future.

brucestello · 2019-09-06T15:34:30.000Z

If the spoofed email is convincing enough, most users will click on the link contained therein.

As others have stated, use all the tools available in O365 - spam filtering, mailflow rules - along with regular end-user training and ceaseless vigilance.