In a previous post, we talked about compromised Office 365 (O365) mailboxes and how to identify IOC’s – indicators of compromise. Despite all of your best attempts, phishing is still the single most efficient way into most if not all organizations.
So now let’s talk about Office 365 compromise recovery – you’ve verified that you have significant IOC’s. You’ve verified that it is likely that the user’s account is in the hands of an attacker. What’s next? Some steps to take to recover from a successful phishing attack, in order of priority:
- Disable the user account ability to log in.
- Reset the user’s password.
- Provide the password to the user in an out of band fashion. Do not send it to them via email! (Yes, seriously. We’ve seen this. At this point, the attacker still has access.) SMS might be a route to provide an out of band password to the user, but I prefer a voice call.
- Check the audit logs in O365 for access to the user’s accounts. Often, these logs will provide the originating IP(s) and other attacker information.
- Check the audit logs for information on the items that were accessed – all items that were in the user’s mailbox should be considered exfiltrated, but there may be some possible correlation here.
- Leverage the information gleaned from the logs to check for other attacker access in the environment. Follow the response checklist provided here.
- Check the user’s account for any rules that have been added (forwarding, deleting sent items, etc.) and remove them. All forwarding accounts should be investigated, considered to be compromised, and blocked if they are external.
- Check the user’s account for any auto-responses, and remove them.
- Check the delegation assignments on the user’s account. Any delegation that has been added during the compromise should be removed, and the accounts that have delegation rights should also be investigated (or blocked, if they’re external accounts).
- Check the user’s signature and AD profile for unauthorized changes.
Escalating the incident should follow the procedures for your organization. The help desk or service desk should be notified as soon as possible, so they can begin to track any unusual account lockouts or other issues. Follow your incident response plan for other items such as informing management, following regulatory guidelines based on potential information that has been exfiltrated, etc.
O365 phishing can be like, well…phish in a barrel. (Yes, that was awful. Yes, I still wrote it!) And an Office 365 compromise will have organizational effects ranging from minor to significant action, particularly with regulatory involvement.
This is the time to push for multi-factor authentication (MFA) for your environment, if it is not in use. An organization’s cultural tolerance for MFA can mean a refusal to implement…and often, an incident is the catalyst for change.