Microsoft 365 Business Premium Customer account breach

%3CLINGO-SUB%20id%3D%22lingo-sub-2129151%22%20slang%3D%22en-US%22%3EMicrosoft%20365%20Business%20Premium%20Customer%20account%20breach%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2129151%22%20slang%3D%22en-US%22%3E%3CP%3ENeed%20some%20advice%20on%20how%20this%20could%20have%20happened%20and%20other%20remediation%20steps.%20We%20have%20a%20customer%20using%20Microsoft%20365%20Business%20Premium.%20All%20users%20have%20MFA%20enabled%20and%20the%20default%20is%20OTP%20using%20the%20Microsoft%20Authenticator.%20The%20user%20complained%20they%20were%20not%20receiving%20any%20emails%20sent%20to%20them%20from%20internal%20users.%20They%20were%20receiving%20external%20emails.%20After%20review%20we%20identified%20an%20Outlook%20server%20rule%20was%20created%20for%20this%20user%20to%20move%20all%20emails%20received%20from%20others%20in%20their%20domain%20to%20a%20newly%20created%20Outlook%20folder%20named%20RSS%20Feeds.%20We%20deleted%20the%20RSS%20Feeds%20folder%2C%20the%20Outlook%20rule%2C%20and%20moved%20the%20messages%20back%20to%20the%20inbox.%20We%20signed%20out%20the%20user%20from%20all%20devices%20and%20reset%20the%20password.%3C%2FP%3E%3CP%3EReviewing%20Azure%20sign%20ins%20over%20the%20past%20week%20we%20found%20entries%20showing%20what%20appears%20to%20be%20a%20successful%20login%20from%20Iowa%20State%20University.%20The%20customer%20is%20in%20a%20different%20state%20and%20they%20do%20not%20know%20of%20anyone%20in%20Iowa.%20It%20appears%20the%20first%20attempt%20was%20interrupted%20resulting%20in%20MFA%20required%20in%20Azure%20AD.%20Yet%20a%20minute%20later%20they%20were%20able%20to%20get%20into%20Exchange%20online%20successfully%20with%20authentication%20method%20-%20previously%20satisficed.%20See%20attachment%20for%204%20screenshots.%20Showing%20details%20of%20the%20signs%20and%20the%20new-inbox%20rule%20creation%20from%20the%20ip%20address%20in%20Iowa.%3C%2FP%3E%3CP%3EHow%20is%20this%20possible%3F%20What%20else%20should%20we%20review%3F%20Should%20we%20report%20this%20to%20Microsoft%3F%20Is%20there%20a%20charge%20to%20report%20something%20like%20this%3F%20Please%20let%20me%20know%20if%20you%20need%20any%20additional%20details%20or%20if%20I%20should%20report%20or%20post%20this%20elsewhere.%20Thank%20you.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2156421%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20365%20Business%20Premium%20Customer%20account%20breach%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2156421%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F91613%22%20target%3D%22_blank%22%3E%40Ed%20Kelly%3C%2FA%3E%26nbsp%3BPlease%20make%20sure%20you%20have%20two%20things%20enabled%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1%20-%20A%20conditional%20access%20policy%20to%20require%20MFA%20for%20all%20admins%20%26amp%3B%20users%3C%2FP%3E%0A%3CP%3E2%20-%20A%20conditional%20access%20policy%20to%20block%20legacy%20authentication%20for%20all%20users%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-admin-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%20-%20Require%20MFA%20for%20administrators%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-all-users-mfa%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%20-%20Require%20MFA%20for%20all%20users%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fconditional-access%2Fhowto-conditional-access-policy-block-legacy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConditional%20Access%20-%20Block%20legacy%20authentication%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Need some advice on how this could have happened and other remediation steps. We have a customer using Microsoft 365 Business Premium. All users have MFA enabled and the default is OTP using the Microsoft Authenticator. The user complained they were not receiving any emails sent to them from internal users. They were receiving external emails. After review we identified an Outlook server rule was created for this user to move all emails received from others in their domain to a newly created Outlook folder named RSS Feeds. We deleted the RSS Feeds folder, the Outlook rule, and moved the messages back to the inbox. We signed out the user from all devices and reset the password.

Reviewing Azure sign ins over the past week we found entries showing what appears to be a successful login from Iowa State University. The customer is in a different state and they do not know of anyone in Iowa. It appears the first attempt was interrupted resulting in MFA required in Azure AD. Yet a minute later they were able to get into Exchange online successfully with authentication method - previously satisficed. See attachment for 4 screenshots. Showing details of the signs and the new-inbox rule creation from the ip address in Iowa.

How is this possible? What else should we review? Should we report this to Microsoft? Is there a charge to report something like this? Please let me know if you need any additional details or if I should report or post this elsewhere. Thank you.

2 Replies

Hi @Ed Kelly Please make sure you have two things enabled:

 

1 - A conditional access policy to require MFA for all admins & users

2 - A conditional access policy to block legacy authentication for all users

 

Conditional Access - Require MFA for administrators - Azure Active Directory | Microsoft Docs

Conditional Access - Require MFA for all users - Azure Active Directory | Microsoft Docs

Conditional Access - Block legacy authentication - Azure Active Directory | Microsoft Docs

 

 

 

@David Bjurman-Birr 

We have conditional access policies to address these conditions.  That is the reason we are so concerned.  We opened a support ticket with Microsoft but we are still no closer to getting informaiotn on how this occurred.