Office 365 Compromised Email

03/05/2019; Lately we have been attending to a lot of clients who have had their Office 365 email compromised. The type of compromise where one of your good customers gets sent an email from YOU asking for money (often for a legitimate bill). The email asks that the funds be deposited into a bank account that is different to normal. Often this bank account is in another country. Usually this has been the trigger for the customer to phone you and ask what the heck is going on. This is the first you probably know of your email compromise.

Access to your office 365 email is controlled by the credentials of a username and password. There are a variety of ways where cyber criminals steal your user credentials (more on that below). Once the cyber criminal has your credentials then he (yes 99% are male) can login to your email, SharePoint, OneDrive etc, and perform these malicious attacks on your company and its reputation.

What to do?

• Phone your IT Company or your Office 365 Administrator. It is likely that they will need to attend to all the below, and that it will need to be done from the management console of your 365 tenant.
• Reset your password. Don't send it by email because right now your attacker still has control of your email box.
• Search for and remove any forwards that have been falsley setup. For example the last one we saw was to a gmail account in panama.
• Turn on 2FA (Two Factor Authentication) for the whole site.
• Implement the 2FA application password on all devices that get email. This can get a little complicated. That is why we suggest your IT company or Office 365 Administrator do these tasks.
• If the email account was being used to spam then it's highly likely that it has been blocked from sending email. You will need to re-enable it.
• Check your sent items for malicious emails that were sent from your account and inform those recipients not to act on your emails. If they already have reacted then they will need to urgently phone their bank.
• Ask your IT provider (hopefully that's us) to enrol your email domain with the superb Sophos Email Security system.This integrates perfectly with the office 365 email system and adds a comprehensive and independent layer of protection over and above that already provided by Microsoft Office 365.




How did the Cyber Criminal get my credentials?

• Weak password control. Treat your passwords like your underpants. Change them often. Don't leave them lying around. Don't share them with other people.
• Your password was guessed.
• A cyber criminal gained remote access to your computer.
• We live in an age where cyber security breaches get revealed on an almost daily basis. Following a data breach usernames and some passwords are often uploaded to a list acessible to hackers. A list of email addresses that have been compromised in various data breaches is available here on the "Have I been pwned website".
• Currently (May 2019) the site lists some 7,858,185,878 pwned accounts. Thats a lot !. You need to check and see if any of your emails are listed.




Where to from here?



Just having Antivirus on your computer doesnt cut it anymore. Talk to your IT provider. Tell them that you have concerns regarding your business's reputation in the event of a security breach of your email system.

To quote the old Benjamin Franklin axiom "an ounce of prevention is worth a pound of cure". It is still very valid when it comes to protecting your business's reputation.



Link: Microsoft's Information on how to respond to a compromised email account in Office 365.