cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Office365 account compromise

halil86
Copper Contributor

‎Mar 30 2019 06:19 AM

‎Mar 30 2019 06:19 AM

Office365 account compromise

Hi

 

Im doing Incident Respond for office 365 account hijacking. May i know how do i check if the hacker have download all the webmail to local computer (pst etc).

 

Is there any specific string i can filter inside the audit log.

 

Thanks

 

Labels:
1,032 Views
0 Likes
2 Replies
Reply
2 Replies
Cian Allner

‎Mar 30 2019 06:43 AM - edited ‎Mar 30 2019 06:47 AM

‎Mar 30 2019 06:43 AM - edited ‎Mar 30 2019 06:47 AM

Re: Office365 account compromise

Hi, I'd start here, which is a series of steps, if you haven't seen it already, with how to deal with compromised accounts:

 

https://docs.microsoft.com/en-us/office365/securitycompliance/responding-to-a-compromised-email-acco...

 

The above article mentions checking the Audit Logs in the Security & Compliance Center and review all the activities for the suspected account

 

"by filtering the results for the date range spanning from immediately before the suspicious activity occurred to the current date"

 

The article also discusses checking the Azure AD Sign-in logs and other risk reports.

0 Likes
Reply
halil86

‎Mar 30 2019 06:55 AM

‎Mar 30 2019 06:55 AM

Re: Office365 account compromise

@Cian Allner 

 

Thanks Cian.  I had gone through the action. From the audit log, hacker got access for around 30 minutes before admin change the password. Now im looking into what is the action being perform beside sending phish link to all the contacts

0 Likes
Reply