I recently faced my first significant incident of email compromise at work and I'm seeking advice on what I might have missed and what to do next. As the sole IT Admin at a small to medium-sized business with around 250 mailboxes, I had to handle the situation largely on my own. This week, a VP's M365 account was compromised, leading to the attacker sending out malicious OneDrive and SharePoint links to our internal employees and external clients, which resulted in around 2000 emails being sent out. After resetting the VP's password, revoking all sessions, and cleaning up the malicious files, I'm now in the investigation and remediation phase, but I'm unsure if I've covered all bases.
Here's what I need help with:
1. Are there any investigation logs or checks I might have overlooked?
2. How should I approach notifying customers about this situation?
3. What Conditional Access (CA) policies do you recommend for my context?
4. What level of Defender plan should I consider for effective incident response?
5. How can I confirm that there's no lingering threat, such as hidden OAuth tokens or mail rules?
Any other guidance on how I can improve my security measures and readiness for any future incidents would also be appreciated!
5 Answers
Consider investing in an email security tool. Something like Check Point could provide advanced capabilities to detect compromised accounts. It’s also good for getting insights into what’s going on within your environment. It can be a lifesaver if another incident occurs.
I've heard solid things about AbnormalAI too; definitely look into more advanced protections.
One key step is to ensure that everyone affected knows to contact you if they clicked on anything suspicious. Also, I prefer to force users to re-register their MFA methods to eliminate any chances of misuse. Have you officially geofenced access? That's something that helps with blocking unauthorized attempts from unusual locations.
Yes! Geofencing worked wonders at my last company and you should give it a serious thought.
Absolutely, but remember, it won’t stop the attempts completely; it just makes successful logins less likely.
Honestly, you handled this quite well for being solo. I’d suggest looking back to see how the VP’s account was initially compromised. Was it a phishing link? Increasing MFA frequency and reducing token lifetime could help prevent similar breaches. What licenses do you have for Microsoft 365? That can influence what security features you have access to.
Thanks! Is there a way to find out how the account was compromised without just asking the user? I'm really trying to pin down the exact method.
We have Microsoft Business Premium licenses, so I’ll check what security features that enables for me.
For Conditional Access, definitely look into requiring MFA for risky sign-ins. You can also block access from anything outside your organization's static IP address, which adds another layer of security. Have you checked for file hashes of the malicious links? If you get those, you can create Indicators of Compromise (IoCs) in your security systems to block them in the future.
Make sure to investigate what the OneDrive file was doing—it might have linked to a phishing site. It's tough to detect, but understanding the attack vector can help prevent future incidents. Maybe consider blocking external file sharing emails altogether.
I completely agree! Blocking risky sign-ins proactively could really help avoid situations like yours.
Your response process looks solid, but make sure your C-level management is on the same page regarding security improvements, like enforcing MFA across the board and considering a security incident response plan. It's crucial to have a strategy to address these breaches and help assure clients. Also, have you checked Microsoft's suggested conditional access policies? They’re a good starting point.
Thanks for the advice! I’ll check those policies out right away.
Getting that confirmation from your higher-ups about security measures is vital! Great call!
Seconding Check Point! It's been a great help for my team.