I recently experienced my first serious email compromise incident as the only IT Admin at my small to medium-sized business, which has around 250 mailboxes and 82 internal users impacted. A VP-level executive's M365 account was hacked, allowing the attacker to send out malicious OneDrive and SharePoint links to both our internal staff and external customers, amounting to about 2000 emails sent. Here's a quick summary of the steps I took:
**Containment:** First, I secured the VP's account by resetting the password and revoking all sessions to kick the attacker out. I deleted the harmful OneDrive file and checked for any suspicious rules in the inbox, amongst other things.
**Investigation:** I pulled sign-in logs to find where the breach originated, identifying some odd logins from out-of-state locations. I also checked for any unauthorized app permissions or new device registrations but didn't find anything unusual.
**Remediation:** I ran a tenant-wide email search and purged 164 malicious emails from internal users' inboxes using PowerShell.
Now I'm looking for advice on several points:
1. What logs or artifacts should I have reviewed that I might be missing?
2. How should I handle notifying customers about the email compromise?
3. What are the best practices for Conditional Access policies in a Microsoft 365 environment?
4. What Defender plan would be adequate for incident response?
5. How can I ensure all traces of the attack are removed?
I'm pretty anxious about this since our external partners are unsettled. Any additional advice or insight into the situation would be greatly appreciated!
4 Answers
It sounds like you handled the situation pretty well for a first-time incident. For your investigation, definitely look deeper into the user's historical access logs and any OAuth consents that may have been granted. Also, check any security questions or backup email addresses the attacker might have tampered with. Setting up Conditional Access to enforce MFA on risky logins could have prevented this from escalating. Also, consider blocking access from non-corporate devices and monitoring for suspicious sign-ins from outside your usual geographical area.
Hey, you're doing great for being a solo act! Regarding the attack vector, have you thought about how the account got compromised? Phishing attacks often involve fake logins or credential theft. Implement strict Conditional Access policies, especially around admin accounts. If it’s within your budget, consider investing in Microsoft Defender along with EDR solutions to beef up your security. You could also increase the frequency for MFA requests, especially after any suspicious logins.
I think you got a lot right but check again for hidden mail rules, especially in the compromised mailbox that could have been set by the attacker. You want to ensure there aren't any backdoors left open. As for customer notifications, the best policy is transparency. If sensitive information was potentially shared, it's better to err on the side of caution and inform them. In the future, aim for using MFA that requires physical tokens, as they can provide more security.
Good job so far! It’s tough getting all the details of a compromise, especially without a team to back you up. One tool that could really help is a comprehensive email security solution like Check Point or AbnormalAI. These can enhance your threat detection capabilities and help manage future incidents better. For the customer notification part, consult with upper management to decide how to inform your clients without raising unnecessary alarm. You might also explore implementing geo-fencing based on your office's IP.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures