O365 email compromised

Mark M · 8 Jun 2022 at 09:34

One of our users has had their email compromised last week! They are reasonably tech-savy but they've clearly clicked on something that they shouldn't and a load of emails were sent out via their email account (you could see them in the sent items). I followed the instruction on the MS site (link) for responding to a Compromised email account and thought that was the end of it! Yesterday however there were emails recevied by people external to our organisation replying to emails that this user had received but sent from random email addresses but with the users name eg John Smith <[email protected]> and not [email protected].

Is the account still compromised or because they had access originally does that mean that they would have downloaded the inbox contents and can now reply to those emails with a different email account?

Ive checked that there are no delegate access been granted or send as permissions but is there anything else I can check?

Is it worth scanning the PC with something such as Malwarebytes?

Thanks, Mark

Glanza · 8 Jun 2022 at 11:21

First thing to do is, change password and force log out all of devices. Set up MFA for the user and get that enabled.

This sounds like the traditional phishing email they've given details and the malicious party have access to the account, you need to log into the mailbox and check if forwarding and what rules have been setup as they usually put a redirect to a sub folder somewhere that they can reply out of.

visibleman · 8 Jun 2022 at 11:45

There's a good chance whoever compromised the mailbox is simply "spoofing" the FROM field of the emails being sent and working through the contact list they have nabbed.
Looking at the message source of one of the sent emails will let you know if that is the case. Likewise looking at message trace or sign-in logs (Azure AD) will determine if a third-party is still accessing the mailbox and if these emails are being sent through your MS365 tenant.

Are you able to offer the user a new mailbox and address?
If you are, then do that, attach their old address as an alias to catch "old" emails, make recipients aware of the change of address and remove the alias once you're satisfied recipients aren't replying to the "old" address.

Otherwise make sure SPF and DKIM records are correct and working as that can help mail servers flag emails as suspicious or spam but, you really want to start moving towards implementing 2FA/MFA for MS365 access and making your users aware of (phishing; sounds like the user was phished for credentials) attacks.

Obviously assume all data attached to the MS365 account was compromised, so if there's anything sensitive then you'll need to deal with that accordingly.

Uhtred · 9 Jun 2022 at 10:34

Glanza said:
you need to log into the mailbox and check if forwarding and what rules have been setup as they usually put a redirect to a sub folder somewhere that they can reply out of.

Make sure you do this

Deleted member 77746 · 9 Jun 2022 at 22:34

Turn on MFA straight away on all accounts.

This won’t be the last if you don’t.

Django x2 · 18 Jun 2022 at 21:27

It's also possible the compromised account has now been successfully added to a PowerBI API webhook to basically now send emails as and when it likes completely devoid of its association with the original email. Nice loophole from MS, not so great for you.