Forum Discussion
Spoofing emails from external accounts
Hi,
We get a lot of spoofing emails from external accounts. I know how to limit them but today I was surprised by something new to me. Just few days ago I have created new user and email account. And today this user account get spoofing email from external domain. How it's possible so fast?
I am not master of Exchange but from my point of view one user account or computer has been compromised. Is there any other way that someone get access to such information like our email address?
We run Office 365 Business Premium, and we started implementation of EMS P1.
Unfortunately we don't have Windows 10 enterprise.
Can you suggest how to increase security of our Exchange and mailboxes?
Thank you
4 Replies
Tomasz Szulczewski Were you able to figure this out. Do let me know if you need additional help in identifying the logs !
Cheers
Ankit Shukla
ankit shuklaThank you. Yes, I know how to proceed now.
Tomasz Szulczewski Perfect. Please save the Rapid response in your notes for handling any future similar issues that may arise 🙂 I'm glad i was able to assist.
Cheers !
Ankit Shukla
Tomasz Szulczewski Correct, it looks like a compromised Mailbox being used to download your GAL outside the network.
1. Check suspicious login/audit from Azure AD. look for ip addresses, geographic location time of access, workstation. This should give you idea on what account/s are compromised.
2. Once identified on what account it is - folow remediation path in order.
Reset Password.
Revoke all Azureaduserrefreshtoken (From Azure AD Powershell)
Check for any forwarding activated on a mailbox.
As a security measure ask all users to change passwords (there may be more than 1 who are compromised)
Enable Multi Factor authentication for future.
https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account
https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-office-365-account/
All the Best
Ankit Shukla
