User was scammed out of thousands of dollars

Highlighted
Occasional Contributor

Hello all,

 

Long story short, we had a customer who was scammed out of 90k. The hacker gained access to two internal accounts, we'll call them John and Jane. A client of there's sent an e-mail to Jane asking for wiring instructions. The hacker, with control of both John and Jane, had a fake conversation together and with this customer, and that customer sent 90k to a UK bank account. By the time someone caught it, it was too late. Both John and Jane did not send any of these messages and they were unaware of it happening. Looks like the hacker covered their tracks pretty well. The hacker was watching long enough to know who did what at the business in order to make a convincing reply.

 

My question is this, what can we do to prove that the account was hacked and that the fake conversation between Jane and John, did not actually take place between the real Jane and John. I have looked in the audit log for a strange login and the log only goes back 30 days. Other than that, I'm not sure there's too much we can do to help them. Any suggestions would be greatly appreciated.

 

Thank you.

2 Replies
Highlighted
Pretty much the only thing you can do is audit logs. I thought they should go back 90 days, but when did this money exchange occur? You can use portal.azure.com and there is some base security features in there that will usually detect suspicious login activity such as logging in form another country which usually triggers this issue, but at times you will have these phishers VPN locally to bypass this.

Ideally you want your users to use MFA to prevent this sort of attack, we've had them trying it in our org previously often via phishin e-mails is usually how they get in, they read their e-mails then start their attacks. Since we finally got everyone on MFA haven't heard nor seen a peep.

Anyway, portal and audit logs should show a pretty obvious "other IP" logging into the account than the normal IP's on the account. One other audit log entry to search for that is common is searching for "inbox rule creation", almost everytime these guys hack into someone's e-mail they will setup an auto delete rule or something to move messages from their targets so they don't get suspicious so checking their mailbox rules might give a clue as well, and the audit log used to show these events and you can time stamp or narrow down when they were created.

Anyway, hope some of this helps.
Highlighted

@Chris WebbThanks for the reply Chris. I spoke with someone from Microsoft as well and they did insist that the audit logs should go back 90 days by default but they did not and they were not turned on recently to my knowledge so there should be data back 90 days. Azure only showed us a week I believe for audit logs.

 

We have them all using MFA now, it's a small organization, about 6 or 7 people, so they don't see to have an issue with it.

 

I have a strong inclination that it was a phishing attack, but with the information we have, it's hard to tell. I didn't see any rogue rules but a few other engineers here worked on this so it's possible they saw them and deleted them already, I'll have to speak with them. I have seen that before as well when this type of thing happens.

 

Thanks for the additional information though.