02-28-2020 11:50 AM
02-28-2020 11:50 AM
Long story short, we had a customer who was scammed out of 90k. The hacker gained access to two internal accounts, we'll call them John and Jane. A client of there's sent an e-mail to Jane asking for wiring instructions. The hacker, with control of both John and Jane, had a fake conversation together and with this customer, and that customer sent 90k to a UK bank account. By the time someone caught it, it was too late. Both John and Jane did not send any of these messages and they were unaware of it happening. Looks like the hacker covered their tracks pretty well. The hacker was watching long enough to know who did what at the business in order to make a convincing reply.
My question is this, what can we do to prove that the account was hacked and that the fake conversation between Jane and John, did not actually take place between the real Jane and John. I have looked in the audit log for a strange login and the log only goes back 30 days. Other than that, I'm not sure there's too much we can do to help them. Any suggestions would be greatly appreciated.
02-28-2020 07:40 PM
03-09-2020 01:55 PM
@Chris WebbThanks for the reply Chris. I spoke with someone from Microsoft as well and they did insist that the audit logs should go back 90 days by default but they did not and they were not turned on recently to my knowledge so there should be data back 90 days. Azure only showed us a week I believe for audit logs.
We have them all using MFA now, it's a small organization, about 6 or 7 people, so they don't see to have an issue with it.
I have a strong inclination that it was a phishing attack, but with the information we have, it's hard to tell. I didn't see any rogue rules but a few other engineers here worked on this so it's possible they saw them and deleted them already, I'll have to speak with them. I have seen that before as well when this type of thing happens.
Thanks for the additional information though.