A good day phishing is better than a bad day doing anything else! (Or was that fishing…)
Business Email Compromise (BEC) attacks saw a 479% increase between Q4 2017 and Q4 2018 per Proofpoint. The dramatic increase in web-based implementations like Office 365 (O365) contributes to the corresponding increase in attacks. Yeah, yeah, we’re going to talk about phishing again, @TheTokenFemale? Really?
Yes. Because no matter how well trained your people are, no matter how diligent…everyone has a bad day. Your organization may not be the “phish in a barrel” type…but it just takes once. A family member in the hospital, a rush to clean things up before vacation, or any kind of significant distraction can make the most diligent person overlook…and click.
In addition, attackers aren’t generally totally inept. The blocking technology is good, but only goes so far. A diligent, motivated attacker will spend time creating a digital footprint of your environment before making an attempt to compromise any accounts.
It’s Monday morning – or Friday afternoon, these things seem to happen on Friday – and you suspect one of the user accounts in your organization has been compromised. But, you’re new to O365 – where do you start looking for a compromise? We’ll presume for our test case that MFA (multi-factor authentication) is not enabled – it’s been shown to be the most effective mitigating control.
The first step in investigating O365 incidents, particularly email, is looking for IOCs – indicators of compromise. This list contains a variety of IOCs in order of “in the wild” sightings by MSI, investigating actual incidents, down to other indicators that have been reported by other security professionals:
- New forwarding rules – forwarding emails to either an external entity, or to another account in the organization (Check the alternate account for compromise!)
- New rules that automatically delete sent items
- New auto-responses – we’ve seen out of office indicators, generic “If I sent you a request please approve it”, etc.
- Items deleted from the Sent folder
- Items deleted from the Inbox, as they arrive or shortly after
- Responses in the Sent folder that the user did not send – these may be requests, and will often have “sent from my iPhone” appended, although this is not a constant
- Delegation to the mailbox has been added to another account in the organization, without the user’s consent (Check the alternate account for compromise!)
- Signature changes that the user did not make
- Unusual credential changes, such as multiple password changes within a short period of time
- Unusual profile changes, such as alteration of the user’s phone number to an unknown number
This list is only a beginning. My cardinal rule is – if it doesn’t FEEL right, it’s worth investigating. Chasing a handful of false positives is preferable to missing one true incident.
Have you or your team investigated an O365 compromise? Do you have anything to add to this list?