"O365 Suite EX" and "Office365 Shell WCSS-Client" Compromised

%3CLINGO-SUB%20id%3D%22lingo-sub-1477439%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477439%22%20slang%3D%22en-US%22%3E%3CP%3EUnless%20the%20user%20connected%20via%20some%20sort%20of%20VPN%20solution%2C%20I'd%20wager%20his%20account%20has%20been%20compromised.%20Those%20events%20correspond%20to%20browser%20logins%20to%20the%20O365%20portal%2Flanding%20page.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479267%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479267%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anyway%20to%20trace%20or%20run%20audit%20for%20whatever%20action%20or%20activities%20that%20has%20been%20run%20by%20that%20IP%20address%3F%20Thanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1479537%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1479537%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20directly%2C%20but%20you%20can%20export%20the%20Unified%20audit%20log%20events%20and%20filter%20them%20against%20this%20IP.%20If%20you%20are%20using%20Cloud%20App%20Security%2C%20you%20can%20do%20it%20directly%20in%20the%20UI%20there.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20all%20events%20generate%20IP%20address%20information%20though.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1477212%22%20slang%3D%22en-US%22%3E%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1477212%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20noticed%20the%20following%20Sign-in%20events%20originating%20from%20Nigeria%2C%20which%20is%20not%20the%20user%20location.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22cllee_0-1592576055444.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F199736i639B2489225B53D3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22cllee_0-1592576055444.png%22%20alt%3D%22cllee_0-1592576055444.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ESeems%20like%20something%20is%20compromised.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20I%20know%20what%20is%20the%20%22O365%20Suite%20UX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20about%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1477212%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1595581%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1595581%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3Busing%20Microsoft%20cloud%20app%20security%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1598057%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1598057%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%2C%20that%20account%20has%20been%20compromised%2C%20for%20sure%2C%20no%20doubt.%20We%20had%20the%20same%20occurrences%2C%20and%20had%20an%20user%20account%20which%20didn't%20have%20MFA%20enabled%20%2C%20hacked.%20And%20the%20hacking%20was%20done%20via%20phishing%20e-mail.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1618215%22%20slang%3D%22en-US%22%3ERe%3A%20%22O365%20Suite%20EX%22%20and%20%22Office365%20Shell%20WCSS-Client%22%20Compromised%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1618215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F764103%22%20target%3D%22_blank%22%3E%40Arash0110%3C%2FA%3E%26nbsp%3BHi%20how%20did%20you%20establish%20account%20was%20compromised%20by%20phishing%20email%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I noticed the following Sign-in events originating from Nigeria, which is not the user location.

cllee_0-1592576055444.png

Seems like something is compromised.

 

Can I know what is the "O365 Suite UX" and "Office365 Shell WCSS-Client" about?

 

Thanks.

 

 

6 Replies

Unless the user connected via some sort of VPN solution, I'd wager his account has been compromised. Those events correspond to browser logins to the O365 portal/landing page.

@Vasil Michev 

Is there anyway to trace or run audit for whatever action or activities that has been run by that IP address? Thanks.

Not directly, but you can export the Unified audit log events and filter them against this IP. If you are using Cloud App Security, you can do it directly in the UI there.

 

Not all events generate IP address information though.

@cllee using Microsoft cloud app security 

@cllee, that account has been compromised, for sure, no doubt. We had the same occurrences, and had an user account which didn't have MFA enabled , hacked. And the hacking was done via phishing e-mail. 

@Arash0110 Hi how did you establish account was compromised by phishing email?