Major security breach with my Office 365 mailbox

%3CLINGO-SUB%20id%3D%22lingo-sub-1028787%22%20slang%3D%22en-US%22%3EMajor%20security%20breach%20with%20my%20Office%20365%20mailbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1028787%22%20slang%3D%22en-US%22%3E%3CP%3EThere%20has%20been%20a%20major%20security%20breach%20with%20my%20Office%20365%20mailbox%20this%20morning%20and%20I%20don't%20believe%20it%20was%20due%20to%20the%20usual%20method%20of%20simply%20logging%20in%20with%20a%20phished%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20I%20saw%20this%20morning%3A%3CBR%20%2F%3E-%20Roughly%20200%20emails%20sent%20from%20my%20Office%20365%20mailbox%2C%20all%20still%20in%20my%20Sent%20Items%20folder%2C%20but%20addressed%20to%20people%20I'd%20never%20heard%20of%2C%20with%20a%20single%20line%20%22you%20might%20be%20interested%20in%20this....%22%20and%20a%20link.%3CBR%20%2F%3E-%20This%20started%20at%204%3A36%20am%20AEDT%20on%2024%2F11%20and%20ended%2028%20minutes%20later%20at%205%3A04%20am%20AEDT.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20I%20believe%20it%20was%20a%20problem%20at%20Microsoft's%20end%20and%20not%20a%20password%20breach%3A%3CBR%20%2F%3E-%20If%20someone%20had%20my%20password%20then%20they%20would%20have%20also%20had%20access%20to%20my%20address%20book%20with%20over%201000%20contacts%20lists%2C%20and%20yet%20not%20a%20single%20email%20that%20was%20sent%20was%20addressed%20to%20one%20of%20my%20contacts.%3CBR%20%2F%3E-%20No%20dodgy%20Forwarders%20had%20been%20added%20to%20my%20account%3CBR%20%2F%3E-%20No%20dodgy%20Rules%20had%20been%20created%20in%20my%20account%3CBR%20%2F%3E-%20The%20Sent%20Items%20were%20not%20deleted%20to%20hide%20the%20activity.%3CBR%20%2F%3E-%20I%20did%20nothing%20to%20stop%20it.%26nbsp%3B%20When%20I%20finally%20became%20aware%20of%20what%20had%20happened%20there%20had%20been%20no%20activity%20for%20the%20past%20couple%20of%20hours.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20now%20changed%20my%20passwords%20just%20in%20case%2C%20but%20I%20believe%20that%20whatever%20happened%20was%20a%20Microsoft%20breach%20and%20they%20then%20did%20something%20to%20blocked%20it%20once%20they%20realized%20what%20was%20happening.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20else%20seen%20something%20similar%20to%20this%20today%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1028787%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034557%22%20slang%3D%22en-US%22%3ERe%3A%20Major%20security%20breach%20with%20my%20Office%20365%20mailbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034557%22%20slang%3D%22en-US%22%3EDoubtful.%20It's%20most%20likely%20a%20direct%20account%20breach.%20Setup%20MFA%20to%20prevent%20this%20first%20off.%20Second%2C%20go%20into%20your%20audit%20logs%20and%20search%2C%20you%20will%20most%20likely%20see%20the%20person%20that%20logged%20into%20your%20account%20and%20from%20what%20IP.%20That%20will%20verify%20the%20issue.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1034558%22%20slang%3D%22en-US%22%3ERe%3A%20Major%20security%20breach%20with%20my%20Office%20365%20mailbox%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1034558%22%20slang%3D%22en-US%22%3EAlso%2C%20I've%20seen%20plenty%20of%20variations%20of%20account%20compromises.%20Some%20use%20them%20to%20spread%2C%20some%20use%20them%20to%20try%20and%20get%20finance%20to%20wire%20them%20money%20(and%20they%20try%20harder%20to%20hide%20their%20tracks).%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

There has been a major security breach with my Office 365 mailbox this morning and I don't believe it was due to the usual method of simply logging in with a phished password.

 

What I saw this morning:
- Roughly 200 emails sent from my Office 365 mailbox, all still in my Sent Items folder, but addressed to people I'd never heard of, with a single line "you might be interested in this...." and a link.
- This started at 4:36 am AEDT on 24/11 and ended 28 minutes later at 5:04 am AEDT.

 

Why I believe it was a problem at Microsoft's end and not a password breach:
- If someone had my password then they would have also had access to my address book with over 1000 contacts lists, and yet not a single email that was sent was addressed to one of my contacts.
- No dodgy Forwarders had been added to my account
- No dodgy Rules had been created in my account
- The Sent Items were not deleted to hide the activity.
- I did nothing to stop it.  When I finally became aware of what had happened there had been no activity for the past couple of hours.

 

I have now changed my passwords just in case, but I believe that whatever happened was a Microsoft breach and they then did something to blocked it once they realized what was happening.

 

Has anyone else seen something similar to this today?

2 Replies
Highlighted
Doubtful. It's most likely a direct account breach. Setup MFA to prevent this first off. Second, go into your audit logs and search, you will most likely see the person that logged into your account and from what IP. That will verify the issue.
Highlighted
Also, I've seen plenty of variations of account compromises. Some use them to spread, some use them to try and get finance to wire them money (and they try harder to hide their tracks).