Spoofing emails from external accounts

Brass Contributor

Hi,

We get a lot of spoofing emails from external accounts. I know how to limit them but today I was surprised by something new to me. Just few days ago I have created new user and email account. And today this user account get spoofing email from external domain. How it's possible so fast?

I am not master of Exchange but from my point of view one user account or computer has been compromised. Is there any other way that someone get access to such information like our email address?

We run Office 365 Business Premium, and we started implementation of EMS P1.

Unfortunately we don't have Windows 10 enterprise.

Can you suggest how to increase security of our Exchange and mailboxes?

Thank you

 

4 Replies

@Tomasz Szulczewski Correct, it looks like a compromised Mailbox being used to download your GAL outside the network.

 

1. Check suspicious login/audit from Azure AD. look for ip addresses, geographic location time of access, workstation. This should give you idea on what account/s are compromised.

2. Once identified on what account it is - folow remediation path in order.

Reset Password. 

Revoke all Azureaduserrefreshtoken (From Azure AD Powershell)

Check for any forwarding activated on a mailbox.

As a security measure ask all users to change passwords (there may be more than 1 who are compromised)

 

Enable Multi Factor authentication for future.

 

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-acco... 

 

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-offi... 

 

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/10/05/killing-sessions-to-a-compromised-o... 

 

All the Best 

Ankit Shukla

 

@Tomasz Szulczewski  Were you able to figure this out. Do let me know if you need additional help in identifying the logs !

 

Cheers

Ankit Shukla

 

@ankit shuklaThank you. Yes, I know how to proceed now.

@Tomasz Szulczewski  Perfect. Please save the Rapid response in your notes for handling any future similar issues that may arise 🙂 I'm glad i was able to assist.

 

Cheers !

Ankit Shukla