Forum Discussion

Tomasz Szulczewski's avatar
Tomasz Szulczewski
Copper Contributor
Jul 31, 2019

Spoofing emails from external accounts

Hi, We get a lot of spoofing emails from external accounts. I know how to limit them but today I was surprised by something new to me. Just few days ago I have created new user and email account. An...
exchange online
ankit shukla's avatar
ankit shukla
Iron Contributor
Aug 01, 2019

Tomasz Szulczewski Correct, it looks like a compromised Mailbox being used to download your GAL outside the network.

 

1. Check suspicious login/audit from Azure AD. look for ip addresses, geographic location time of access, workstation. This should give you idea on what account/s are compromised.

2. Once identified on what account it is - folow remediation path in order.

Reset Password. 

Revoke all Azureaduserrefreshtoken (From Azure AD Powershell)

Check for any forwarding activated on a mailbox.

As a security measure ask all users to change passwords (there may be more than 1 who are compromised)

 

Enable Multi Factor authentication for future.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-account 

 

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/ 

 

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-office-365-account/ 

 

All the Best 

Ankit Shukla

 

Resources