Forum Discussion

Donn Dunkel's avatar
Donn Dunkel
Copper Contributor
Oct 16, 2018

O365, Outlook 2016 - hacked email

We use the above for our small office (large HOA) but, recently, the GM's email was compromised. Again. This last time, the admin assistant just changed the email address slightly to make a differenc...
VasilMichev's avatar
VasilMichev
MVP
Oct 16, 2018

The very first thing you should do is enable MFA on his account, or even configure some more strict policies in terms of Conditional access or Exchange Client Access Rules or similar. Reset the password on the old account, force a logoff and block any email protocols to stop them from accessing data, and create a transport rule to block any outgoing messages. Tony's article summarizes all this: https://www.petri.com/blocking-access-office-365-user

 

Then you have to decide what to do with the account. It's easy to just delete it, but being a GM I imagine there is a ton of important messages stored in that mailbox, so you will probably have to export the data first. Reusing the same account should be approached with caution, as there still might be some hidden rules, Form injections and other types of nasty things that can compromise it again.

 

Another option is to put the mailbox on hold or make it Inactive mailbox, with the intention to preserve this data.

 

But in any case, you should properly investigate how this happened and put some measures in place to prevent it from happening in the future.

ChrisWebbTech's avatar
ChrisWebbTech
MVP
Oct 16, 2018
Yeah to follow up with both these great responses, first thing is first, have you found out if the account is even really compromised? Just because you get e-mail from an address doesn't mean anything, I can send an e-mail on behalf of cwebb@microsoft.com from any generic smtp server on the internet. Need to make sure the actual address is internal address, what client it came from via headers etc. If it did come from internal routing direct form exchange server then you need to follow Vasil advice and lock that account down, changing the password wont' do anything because they could still be using a token that gives them access.

Also if it was compromised, most of these phising hacks add in e-mail rules so you're going to need to go into your rules and remove the rules. Also run a security audit log scan and check for any other e-mail box rules added recently and it will quickly turn up if anyone else has been compromised recently as well.

If the e-mail is in fact coming from external sources after checking into the headers, then you need to tighten up e-mail gateway / spam filters to prevent e-mail from being allowed to be sent from you're domain anyway other than via Office 365 internal routing etc.