Oct 16 2018
09:38 AM
- last edited on
Feb 01 2023
10:39 AM
by
TechCommunityAP
Oct 16 2018
09:38 AM
- last edited on
Feb 01 2023
10:39 AM
by
TechCommunityAP
We use the above for our small office (large HOA) but, recently, the GM's email was compromised. Again. This last time, the admin assistant just changed the email address slightly to make a difference and changed the password.
Now, they can send and receive mail, but the original hacked email address is still sending out mail along with the new one and returning replies. They have been unable to remove the compromised email address from the profile.
Wouldn't the best approach be to remove the compromised profile and add the profile back with the new address? Or...?
I understand that modifying the GAL with Power Shell is not for the faint of heart. :)
Thanks!
Oct 16 2018 09:49 AM
Oct 16 2018 10:41 AM
The very first thing you should do is enable MFA on his account, or even configure some more strict policies in terms of Conditional access or Exchange Client Access Rules or similar. Reset the password on the old account, force a logoff and block any email protocols to stop them from accessing data, and create a transport rule to block any outgoing messages. Tony's article summarizes all this: https://www.petri.com/blocking-access-office-365-user
Then you have to decide what to do with the account. It's easy to just delete it, but being a GM I imagine there is a ton of important messages stored in that mailbox, so you will probably have to export the data first. Reusing the same account should be approached with caution, as there still might be some hidden rules, Form injections and other types of nasty things that can compromise it again.
Another option is to put the mailbox on hold or make it Inactive mailbox, with the intention to preserve this data.
But in any case, you should properly investigate how this happened and put some measures in place to prevent it from happening in the future.
Oct 16 2018 01:15 PM