O365, Outlook 2016 - hacked email

%3CLINGO-SUB%20id%3D%22lingo-sub-272091%22%20slang%3D%22en-US%22%3EO365%2C%20Outlook%202016%20-%20hacked%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272091%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20use%20the%20above%20for%20our%20small%20office%20(large%20HOA)%20but%2C%20recently%2C%20the%20GM's%20email%20was%20compromised.%20Again.%20This%20last%20time%2C%20the%20admin%20assistant%20just%20changed%20the%20email%20address%20slightly%20to%20make%20a%20difference%20and%20changed%20the%20password.%3C%2FP%3E%3CP%3ENow%2C%20they%20can%20send%20and%20receive%20mail%2C%20but%20the%20original%20hacked%20email%20address%20is%20still%20sending%20out%20mail%20along%20with%20the%20new%20one%20and%20returning%20replies.%20They%20have%20been%20unable%20to%20remove%20the%20compromised%20email%20address%20from%20the%20profile.%3C%2FP%3E%3CP%3EWouldn't%20the%20best%20approach%20be%20to%20remove%20the%20compromised%20profile%20and%20add%20the%20profile%20back%20with%20the%20new%20address%3F%20Or...%3F%3C%2FP%3E%3CP%3EI%20understand%20that%20modifying%20the%20GAL%20with%20Power%20Shell%20is%20not%20for%20the%20faint%20of%20heart.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-272091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ehacked%20profile%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272258%22%20slang%3D%22en-US%22%3ERe%3A%20O365%2C%20Outlook%202016%20-%20hacked%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272258%22%20slang%3D%22en-US%22%3EYeah%20to%20follow%20up%20with%20both%20these%20great%20responses%2C%20first%20thing%20is%20first%2C%20have%20you%20found%20out%20if%20the%20account%20is%20even%20really%20compromised%3F%20Just%20because%20you%20get%20e-mail%20from%20an%20address%20doesn't%20mean%20anything%2C%20I%20can%20send%20an%20e-mail%20on%20behalf%20of%20cwebb%40microsoft.com%20from%20any%20generic%20smtp%20server%20on%20the%20internet.%20Need%20to%20make%20sure%20the%20actual%20address%20is%20internal%20address%2C%20what%20client%20it%20came%20from%20via%20headers%20etc.%20If%20it%20did%20come%20from%20internal%20routing%20direct%20form%20exchange%20server%20then%20you%20need%20to%20follow%20Vasil%20advice%20and%20lock%20that%20account%20down%2C%20changing%20the%20password%20wont'%20do%20anything%20because%20they%20could%20still%20be%20using%20a%20token%20that%20gives%20them%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20if%20it%20was%20compromised%2C%20most%20of%20these%20phising%20hacks%20add%20in%20e-mail%20rules%20so%20you're%20going%20to%20need%20to%20go%20into%20your%20rules%20and%20remove%20the%20rules.%20Also%20run%20a%20security%20audit%20log%20scan%20and%20check%20for%20any%20other%20e-mail%20box%20rules%20added%20recently%20and%20it%20will%20quickly%20turn%20up%20if%20anyone%20else%20has%20been%20compromised%20recently%20as%20well.%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20the%20e-mail%20is%20in%20fact%20coming%20from%20external%20sources%20after%20checking%20into%20the%20headers%2C%20then%20you%20need%20to%20tighten%20up%20e-mail%20gateway%20%2F%20spam%20filters%20to%20prevent%20e-mail%20from%20being%20allowed%20to%20be%20sent%20from%20you're%20domain%20anyway%20other%20than%20via%20Office%20365%20internal%20routing%20etc.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272121%22%20slang%3D%22en-US%22%3ERe%3A%20O365%2C%20Outlook%202016%20-%20hacked%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272121%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20very%20first%20thing%20you%20should%20do%20is%20enable%20MFA%20on%20his%20account%2C%20or%20even%20configure%20some%20more%20strict%20policies%20in%20terms%20of%20Conditional%20access%20or%20Exchange%20Client%20Access%20Rules%20or%20similar.%20Reset%20the%20password%20on%20the%20old%20account%2C%20force%20a%20logoff%26nbsp%3Band%20block%20any%20email%20protocols%20to%20stop%20them%20from%20accessing%20data%2C%20and%20create%20a%20transport%20rule%20to%20block%20any%20outgoing%20messages.%20Tony's%20article%20summarizes%20all%20this%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Fblocking-access-office-365-user%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.petri.com%2Fblocking-access-office-365-user%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThen%20you%20have%20to%20decide%20what%20to%20do%20with%20the%20account.%20It's%20easy%20to%20just%20delete%20it%2C%20but%20being%20a%20GM%20I%20imagine%20there%20is%20a%20ton%20of%20important%20messages%20stored%20in%20that%20mailbox%2C%20so%20you%20will%20probably%20have%20to%20export%20the%20data%20first.%20Reusing%20the%20same%20account%20should%20be%20approached%20with%20caution%2C%20as%20there%20still%20might%20be%20some%20hidden%20rules%2C%20Form%20injections%20and%20other%20types%20of%20nasty%20things%20that%20can%20compromise%20it%20again.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20option%20is%20to%20put%20the%20mailbox%20on%20hold%20or%20make%20it%20Inactive%20mailbox%2C%20with%20the%20intention%20to%20preserve%20this%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBut%20in%20any%20case%2C%20you%20should%20properly%20investigate%20how%20this%20happened%20and%20put%20some%20measures%20in%20place%20to%20prevent%20it%20from%20happening%20in%20the%20future.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-272094%22%20slang%3D%22en-US%22%3ERe%3A%20O365%2C%20Outlook%202016%20-%20hacked%20email%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-272094%22%20slang%3D%22en-US%22%3EFirst%20you%20should%20be%20able%20to%20remove%20his%20old%20address%20by%20changing%20the%20primary%20email%20address!%20Second%20you%20need%20to%20check%20the%20reason%20for%20this!%20Is%20his%20password%20compromised%20or%20is%20his%20mail%20spoofed!%20Take%20action%20on%20this!%20SPF%2F%20dkim%2FDmarc%20implemented%20to%20protect%20spoofing%3F%20Check%20the%20anti-spoofing%20policy%E2%80%99s%20in%20your%20tenant..%3CBR%20%2F%3ECheck%20logs%20if%20you%20can%20see%20anything%20suspicious..%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E
Frequent Visitor

We use the above for our small office (large HOA) but, recently, the GM's email was compromised. Again. This last time, the admin assistant just changed the email address slightly to make a difference and changed the password.

Now, they can send and receive mail, but the original hacked email address is still sending out mail along with the new one and returning replies. They have been unable to remove the compromised email address from the profile.

Wouldn't the best approach be to remove the compromised profile and add the profile back with the new address? Or...?

I understand that modifying the GAL with Power Shell is not for the faint of heart. :)

Thanks!

3 Replies
First you should be able to remove his old address by changing the primary email address! Second you need to check the reason for this! Is his password compromised or is his mail spoofed! Take action on this! SPF/ dkim/Dmarc implemented to protect spoofing? Check the anti-spoofing policy’s in your tenant..
Check logs if you can see anything suspicious..

Adam

The very first thing you should do is enable MFA on his account, or even configure some more strict policies in terms of Conditional access or Exchange Client Access Rules or similar. Reset the password on the old account, force a logoff and block any email protocols to stop them from accessing data, and create a transport rule to block any outgoing messages. Tony's article summarizes all this: https://www.petri.com/blocking-access-office-365-user

 

Then you have to decide what to do with the account. It's easy to just delete it, but being a GM I imagine there is a ton of important messages stored in that mailbox, so you will probably have to export the data first. Reusing the same account should be approached with caution, as there still might be some hidden rules, Form injections and other types of nasty things that can compromise it again.

 

Another option is to put the mailbox on hold or make it Inactive mailbox, with the intention to preserve this data.

 

But in any case, you should properly investigate how this happened and put some measures in place to prevent it from happening in the future.

Yeah to follow up with both these great responses, first thing is first, have you found out if the account is even really compromised? Just because you get e-mail from an address doesn't mean anything, I can send an e-mail on behalf of cwebb@microsoft.com from any generic smtp server on the internet. Need to make sure the actual address is internal address, what client it came from via headers etc. If it did come from internal routing direct form exchange server then you need to follow Vasil advice and lock that account down, changing the password wont' do anything because they could still be using a token that gives them access.

Also if it was compromised, most of these phising hacks add in e-mail rules so you're going to need to go into your rules and remove the rules. Also run a security audit log scan and check for any other e-mail box rules added recently and it will quickly turn up if anyone else has been compromised recently as well.

If the e-mail is in fact coming from external sources after checking into the headers, then you need to tighten up e-mail gateway / spam filters to prevent e-mail from being allowed to be sent from you're domain anyway other than via Office 365 internal routing etc.