Forum Discussion
User was scammed out of thousands of dollars
Ideally you want your users to use MFA to prevent this sort of attack, we've had them trying it in our org previously often via phishin e-mails is usually how they get in, they read their e-mails then start their attacks. Since we finally got everyone on MFA haven't heard nor seen a peep.
Anyway, portal and audit logs should show a pretty obvious "other IP" logging into the account than the normal IP's on the account. One other audit log entry to search for that is common is searching for "inbox rule creation", almost everytime these guys hack into someone's e-mail they will setup an auto delete rule or something to move messages from their targets so they don't get suspicious so checking their mailbox rules might give a clue as well, and the audit log used to show these events and you can time stamp or narrow down when they were created.
Anyway, hope some of this helps.
ChrisWebbTechThanks for the reply Chris. I spoke with someone from Microsoft as well and they did insist that the audit logs should go back 90 days by default but they did not and they were not turned on recently to my knowledge so there should be data back 90 days. Azure only showed us a week I believe for audit logs.
We have them all using MFA now, it's a small organization, about 6 or 7 people, so they don't see to have an issue with it.
I have a strong inclination that it was a phishing attack, but with the information we have, it's hard to tell. I didn't see any rogue rules but a few other engineers here worked on this so it's possible they saw them and deleted them already, I'll have to speak with them. I have seen that before as well when this type of thing happens.
Thanks for the additional information though.
