A few weeks ago I was confronted with a very specialised hack by a customer who has Office365 Exchange Online. Last week on Microsoft Inspire I spoke to some other IT companies and had exactly the same hack experienced. Based on this information I was triggered to blog about this new type of hack.
What’s happened ?
It all cases it starts with a phising mail directly to the client asking to click on a link to verify his username/password. The link goes to a microsoft 365 login portal look-a-like. After that the hacker has the username and password of the victom.
Based on my own research they logged in from Turkey on the exchange online web access. In that outlook web access they created a forwarding rule to a specific gmail address. This rule is hard to see in your outlook for a normal user.
The hacker is going to integrate in current mail conversations and based on a published Financial statements (or maybe LinkedIn) they retrieve important persons into the company. In one case they are trying to get the financial person transfer 50k of money to their bank account and in the other case excel information with sensitive information was leaked to the gmail address.
Lucky in both cases one of the collegues remarked the strange questions and called us to investigate what’s happened.
How to migitate on the short time
Of course Multi Factor Authentication would have solved the problem, but is not always easy to implement through the whole organisation in a short time.
We implemented some mitigations for this case on all our tenants.
- disable rule implementation via OWA
2) enable auditing
Very usefull when you want to investigate who is accessing the mailbox from where and what is that person doing.
powershell:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditOwner @{Add=”MailboxLogin”,”HardDelete”,”SoftDelete”}
You have to execute this command any time a new mailbox is created, you can automate this with Azure Automation, see the Blog Post of Ronni Pedersen about this
https://www.ronnipedersen.com/2017/07/29/automate-mailbox-auditing-office-365/
3) Block external forwaring
Make a Transport rule that auto-forward will be blocked to external domains