I recently experienced my first real email compromise at work and it's got me feeling a bit anxious. I'm the sole IT admin for a small to medium-sized business with around 250 mailboxes and 82 internal users. This week, a VP-level executive's M365 account was compromised, and the attacker sent out about 2000 malicious OneDrive and SharePoint links to both our internal staff and external customers. It was a rough day since many people trusted the messages coming from a familiar account.
Here's what I did to contain the situation: I reset the compromised account's password, revoked all active sessions, pulled down the malicious file, and searched for any suspicious inbox rules— thankfully, I didn't find any. I also investigated sign-in logs to trace back the breach and cleared out 164 malicious emails that were already sent to users.
Now, I have a few lingering questions about what I could've done differently and what my next steps should be.
1. What logs or checks should I have done during my investigation?
2. When should I notify external customers about the incident?
3. What good Conditional Access policies exist for M365?
4. Is Microsoft Defender for Business necessary for incident response at this size?
5. How can I be sure that no hidden access remains?
Any insights on what I might have missed or how to handle this going forward would be greatly appreciated!
4 Answers
Great effort in dealing with the breach! Make sure you alert any users who received the malicious emails and ask them to report if they engaged with anything suspicious. Also, consider forcing a reset on all the account's MFA methods to ensure no bad actor retained access. Remember to keep a close eye on the sign-in reports for any logins from unusual locations and look into geofencing if applicable.
You did a solid job for your first incident! The key point is figuring out how the VP's account was compromised in the first place. Was it through phishing? If so, look into tightening your token lifetime and enforcing MFA more rigorously. To detect how the breach happened without just relying on user reports, explore the authentication logs, and see if any unusual activity stands out.
Sounds like you handled a tough situation really well! For Conditional Access (CA), definitely set it to enforce MFA for risky sign-ins and consider using Defender for Cloud Apps to establish session policies. You'll want to block sign-ins from personal devices using CA too. Are the file hashes from the OneDrive links accessible? If yes, make sure to block those in your endpoint detection. It's crucial to get proactive about these things.
Consider implementing a comprehensive email security tool that handles account compromise detection better. Tools like Check Point or AbnormalAI are notable ones that can provide insights and controls. Based on your description, it does seem like an AiTM phishing attack might be involved, so bolstering your defenses with these tools could help in the future.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures