Compromised account, need advice

%3CLINGO-SUB%20id%3D%22lingo-sub-1614110%22%20slang%3D%22en-US%22%3ECompromised%20account%2C%20need%20advice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1614110%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20received%20an%20email%20that%20was%20send%20to%20me%20by%20a%20stranger%20(using%20an%20unknown%20domain)%20but%20bearing%20a%20signature%20of%20my%20colleague.%20Is%20like%20an%20email%20being%20forwarded%20(or%20probably%20simulate%20through%20copy%20paste%20from%20the%20original%20mail)%20to%20me%20imitating%20my%20colleague.%20And%20the%20email%20is%20having%20an%20attachment%20infected%20with%20Trojan.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EThe%20concern%20is%20the%20content%20of%20the%20email%20(send%20by%20the%20stranger)%20was%20an%20exact%20email%20exchange%20a%20week%20ago%20between%20a%20group%20of%20colleagues%20including%20myself%20in%20the%20email.%3CBR%20%2F%3EI%20started%20investigating%20but%20did%20not%20see%20any%20%22Risky%20sign-in%22%20or%20%22Risky%20users%22%20reported%20under%20Azure%20Active%20Directory%20admin%20console.%20But%20one%20thing%20for%20sure%20is%20that%20person%20has%20got%20hold%20of%20the%20email%20exchange.%3CBR%20%2F%3E%3CBR%20%2F%3EFew%20thing%20crosses%20my%20mind%3A%3CBR%20%2F%3E1)%20Assuming%20one%20of%20the%20colleague%20account%20has%20got%20compromised%2C%20then%20this%20should%20show%20under%20%22Risky%20sign-in%22%2C%20if%20the%20person%20is%20signing%20in%20from%20another%20location.%20But%20no%20alert%20generated.%3CBR%20%2F%3E%3CBR%20%2F%3E2)%20Assuming%20the%20account%20is%20not%20compromised%2C%20is%20there%20a%20possibility%20whereby%20the%20outgoing%2Fincoming%20mails%20is%20being%20%22mirrored%22%2F%22monitored%22%3F%20Is%20there%20anyway%20to%20investigate%20this%20scenario%3F%3CBR%20%2F%3E%3CBR%20%2F%3EAny%20advice%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1615413%22%20slang%3D%22en-US%22%3ERe%3A%20Compromised%20account%2C%20need%20advice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1615413%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F573218%22%20target%3D%22_blank%22%3E%40cllee%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20possible%20that%20the%20account%20was%20compromised%20earlier.%20It%20looks%20like%20the%20email%20is%20automatically%20forwarded%2C%20so%20you%20should%20start%20checking%20the%20rules%20on%20the%20mailboxes.%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20it's%20recommended%20that%20all%20people%20involved%20should%20change%20their%20password%20(and%20enroll%20for%20MFA%20if%20not%20done%20yet)%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

I received an email that was send to me by a stranger (using an unknown domain) but bearing a signature of my colleague. Is like an email being forwarded (or probably simulate through copy paste from the original mail) to me imitating my colleague. And the email is having an attachment infected with Trojan.

The concern is the content of the email (send by the stranger) was an exact email exchange a week ago between a group of colleagues including myself in the email.
I started investigating but did not see any "Risky sign-in" or "Risky users" reported under Azure Active Directory admin console. But one thing for sure is that person has got hold of the email exchange.

Few thing crosses my mind:
1) Assuming one of the colleague account has got compromised, then this should show under "Risky sign-in", if the person is signing in from another location. But no alert generated.

2) Assuming the account is not compromised, is there a possibility whereby the outgoing/incoming mails is being "mirrored"/"monitored"? Is there anyway to investigate this scenario?

Any advice?

Thanks.

1 Reply

@cllee 

 

It's possible that the account was compromised earlier. It looks like the email is automatically forwarded, so you should start checking the rules on the mailboxes. 

Also, it's recommended that all people involved should change their password (and enroll for MFA if not done yet)