I recently discovered that someone managed to breach our Office 365 tenant and set up a global administrator account. This unauthorized account then created rules that redirected emails to RSS feeds, resulting in a significant financial loss. Unfortunately, I can't find any logs since alerts were turned off by the hacker, and Microsoft only retains logs for 30 days—so we just missed the account creation on December 23. We only have two global administrators with MFA enabled for everyone, and legacy authentication is disabled. I'm really baffled as to how this could happen. Any insights?
5 Answers
Make sure to analyze the audit and sign-in logs for your global admin accounts. If you had any kind of Privileged Identity Management (PIM) setup, that could have helped mitigate this risk. Global admins really need to be on top of their security with things like Entra ID P2 accounts rather than standard 365 accounts.
Consider implementing Conditional Access (CA) policies. You can set up stricter requirements for admin portal access to really tighten up security. Using phishing-resistant MFA, like FIDO2 keys or Windows Hello, can help a lot. It sounds like your admin accounts might not be fully secured. Remember, standard MFA can still be phished easily. How have you been monitoring the security conditions?
MFA isn't foolproof, sadly. It’s a common misstep to assume it's all you need. Seriously evaluate your security measures because even well-secured organizations can fall victim to breaches if they aren't watching closely. Sounds like your tenant might need some serious supervision!
You’ve got a point! I'll gather our team to discuss enhancing our security protocols.
It could also be a case of session token hijacking. If a compromised device was used by an admin, the attacker could access the tenant using that session until the token expired. Usually, these breaches stem from phishing attempts, which are incredibly common. Have you taken a close look at the sign-in logs for those accounts?
That's interesting! I'll check those logs to see if there are any suspicious activities.
It sounds like one of your global admins might have been phished. It could have happened if one clicked on a malicious link that directed them to a fake login page. If they entered their credentials, the hacker could have bypassed MFA by using the admin's own 2FA approval. Was the global admin account just a regular user account with elevated permissions? If so, that’s a security risk. Gotta get those accounts separated out!
You raise a valid point! I definitely need to reevaluate permissions and best practices for admin accounts.
Great advice! I think it’s time to tighten our controls and monitor logs rigorously.