We have a client who we provide a base level service to. We are responsible for ensuring their desktops are operational and their employees have the capability to log in to their emails, with all other services being provided by another agency.
Recently, we received a call from one of their employees stating that their emails had stopped working. After some initial investigation it was discovered that Microsoft had blocked their account due to the fact that it had hit the threshold for emails being auto-forwarded.
This piqued the interest of our security analyst who investigated further and discovered that emails were being forwarded from the O365 account to a gmail account since 15 July.
After discussing with the client, this email address was not known to them. Our analyst then disabled the rule within their email account and examined their emails for anything suspicious that may have arrived around the date the rule was first created.
This is when our analyst discovered this little gem:
As you can see, the email preys on the complacency of users by telling them they can bypass password change requirements by clicking on the link and logging in. This is one of the reasons why NIST and the ACSC recommend you do not need to change your passwords as often (as long as they are more secure). Read our article on password security for more information.
Once the information was gathered we began the sanitisation and remediation processes.
- Passwords were reset. This ensure that the actor couldn’t get back in again is the one of the most important steps;
- Check the “recovery” email address to make sure the actor hasn’t set it to their own so they can reset the password back;
- Implemented Microsoft’s Multifactor Authentication (MFA). If this situation recurs; our client has a second line of defence;
- Created a rule within Exchange365 to prevent auto-forwards of emails from leaving the organisations tenancy; and
- Implemented corporate email filtering instead of relying on Microsoft’s as the sole solution.