[Office 365]Compromised Account
1.Check if the compromised mailbox has auto-forwarding configured.
2.Check the risky sign-ins report in portal.azure.com
risky sign-ins report:https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins.
Sign-ins log: https://docs.microsoft.com/en-gb/azure/active-directory/reports-monitoring/concept-sign-ins
For Possible Root Cause:
However, there’re many scenario that the user’s account could be hacked.
Please make sure that the user did not share their credential accidentally.
There are hundreds of phishing sites which could look exactly the same as our sign-in page.
Any third party malware in your local device could also try to hack your account.
Here are some suggestions for account compromise issues:
For compromised account, we recommend following below article to fix:
Besides of changing users’ password, please consider to kill active user sessions in Office 365 as well. If spammers do have any active session established, changing users’ passwords may not help with this scenario. Cmdlets like Revoke-SPOUserSession and Revoke-AzureADUserAllRefreshToken can force logoff during an active user session.
Disable internal users auto forwarding internal emails to external, as auto forwarding are becoming an increasingly common method being used by bad actors today :
Could use script DumpDelegatesandForwardingRules.ps1 from https://github.com/OfficeDev/O365-InvestigationTooling to understand how many users inside the organization has set auto forwarding to external.
Could use transport rule at EOP to reject auto forwarding to external:
Condition: If the sender is inside the organization.
Condition: If the recipient is outside the organization
Condition: If the message type is Auto-Forward.
Action: Reject the message with the explanation: External Email Forwarding via Client Rules is not permitted.
Refer to below article for more information:
Mitigating Client External Forwarding Rules with Secure Score
Start end user IT training:
Email scan engine like EOP or other gateway server is ongoing process to provide better protection. While spammers also keeps trying new methods to bypass the gateway server check. From EOP side, Microsoft are trying the best to improve the product to make it suitable to use. Good IT training also helps people to reduce the impact.
Add notification for all incoming emails from external.
This could be applied by creating transport rule:
Condition: If the sender is located at Outside the organization.
Action: Apply a message classification: External Email Notification <customize a message classification that inform recipient this is email from external, be attention when open any links/attachment, asking for self-information>
Office 365 currently contains security and compliance audit log report, this requires enable Audit log for end users first, this report could help us understand more about access information of the compromised account:
Search the audit log in the Offie365 security and compliance center:
Azure AD sign report also provide useful information about unexpected logon, monitor the report frequently also help to identify the unexpected logon in time, this may require additional license, I attach the document for your reference:
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-azure-portal
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-sign-ins
Other useful blogs:
How to determine whether your Office 365 account has been compromised
Get back into your Microsoft account if it's been compromised
https://support.microsoft.com/en-sg/help/10494/microsoft-account-get-back-compromised-account
In addition, here are some security best practice for your reference:
Enable Multi-Factor Authentication for the users to provide additional protect on the user account.
MFA requires secondary authentication factor before the user can access the Office 365 resources. Therefore, the account can be protected even if the password is captured by the bad actor.
Use more advanced feature in Azure AD to monitor and protect the user sign in activities. Please note that the advanced feature may require the AAD premium subscriptions.
Conditional Access Policy.
This can control the sign in based on the IP locations. You can configure the policy to deny the access to certain or all of the Office 365 based on your business requirements. For example, a policy can be configured to block the access to Exchange Online and OneDrive for Business if the sign in is from the IP address that is located to the unfamiliar region, such as US, etc.Risky sign in alerts.
This can provide us with some real time alerts on the risky sign in activities so that the administrator can take the action at the first time when the issue happens and reduce the impact.
For more detailed information on the above two features, you can also refer to the following KB articles:
-
What is conditional access in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview.
Best practices for conditional access in Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices.
Risky sign-ins report in the Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risky-sign-ins.
You can also refer to the other security best practices for Office 365, which are documented in this KB article: https://docs.microsoft.com/en-us/office365/securitycompliance/security-best-practices