Compromised O365 mailbox – Common IOC’s

A good day phishing is better than a bad day doing anything else! (Or was that fishing…)

Business Email Compromise (BEC) attacks saw a 479% increase between Q4 2017 and Q4 2018 per Proofpoint. The dramatic increase in web-based implementations like Office 365 (O365) contributes to the corresponding increase in attacks. Yeah, yeah, we’re going to talk about phishing again, @TheTokenFemale? Really?

Yes. Because no matter how well trained your people are, no matter how diligent…everyone has a bad day. Your organization may not be the “phish in a barrel” type…but it just takes once. A family member in the hospital, a rush to clean things up before vacation, or any kind of significant distraction can make the most diligent person overlook…and click.

In addition, attackers aren’t generally totally inept. The blocking technology is good, but only goes so far. A diligent, motivated attacker will spend time creating a digital footprint of your environment before making an attempt to compromise any accounts.

It’s Monday morning – or Friday afternoon, these things seem to happen on Friday – and you suspect one of the user accounts in your organization has been compromised. But, you’re new to O365 – where do you start looking for a compromise? We’ll presume for our test case that MFA (multi-factor authentication) is not enabled – it’s been shown to be the most effective mitigating control.

The first step in investigating O365 incidents, particularly email, is looking for IOCs – indicators of compromise. This list contains a variety of IOCs in order of “in the wild” sightings by MSI, investigating actual incidents, down to other indicators that have been reported by other security professionals:

  • New forwarding rules – forwarding emails to either an external entity, or to another account in the organization (Check the alternate account for compromise!)
  • New rules that automatically delete sent items
  • New auto-responses – we’ve seen out of office indicators, generic “If I sent you a request please approve it”, etc.
  • Items deleted from the Sent folder
  • Items deleted from the Inbox, as they arrive or shortly after
  • Responses in the Sent folder that the user did not send – these may be requests, and will often have “sent from my iPhone” appended, although this is not a constant
  • Delegation to the mailbox has been added to another account in the organization, without the user’s consent (Check the alternate account for compromise!)
  • Signature changes that the user did not make
  • Unusual credential changes, such as multiple password changes within a short period of time
  • Unusual profile changes, such as alteration of the user’s phone number to an unknown number

This list is only a beginning. My cardinal rule is – if it doesn’t FEEL right, it’s worth investigating. Chasing a handful of false positives is preferable to missing one true incident.

Have you or your team investigated an O365 compromise? Do you have anything to add to this list?

Questions? Comments? I’d love to hear from you –, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to or visit





This entry was posted in General InfoSec by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.