Forum Discussion
Why would a hacker/scammer put a domain INTO my exchange online admin?
You can review the Purview Audit search to look for audit logs (as long as auditing was enabled!).
I'd be logging a ticket with Microsoft to get the domain removed ASAP.
Definitiely a bit of a weird one. I'd say this is a form of Business Email Comprimise and they are trying to trick vendors/partners into sending money their way, but why they would use your tenant is a bit unusual if they could just set up a new tenant and add the domain there. If they were able to register the domain in your teannt, the malicious actors obviously also have access to the other domain's DNS records as well, so that ain't good!!
I'd be locking down all the GA/priviledged accounts ASAP. Best practice is to not give user account GA access and make admins use a separate priviledged account to do any admin tasks. This means that if their user account is compromised, at least the bad actor doesn't get admin priviledges in the tenant straight away.
Yeah it's going to be a hard call but going forward I should probably remove admin access from the users. These are usually individual users who have their own domain, and I help them administer it, so one of my goals is to make it so they are not tied into me. So I make myself an admin but they remain one as well. Smarter to make them a second user account that is the admin account, disconnected from their email for sure. But as you can imagine, it will create confusion, which creates dissatisfaction. But smart policy regardless.
And yes they were certainly trying to get paid by clients by impersonating the user. That part was easy of course.
I just wish I could figure out the use of my tenant. Everything has to have a reason, and these scammers are not into wasting their time and effort. Doing something more complicated and difficult than necessary just has to have a reason, and not knowing it will leave me unclear on the real situation. But I don't see how I ever find out the answer....