What if your users’ mailbox got compromised and it was used to send few hundred emails out to internal staff and external addresses with an attachment and you don’t have ATP (E5) licenses or any other 3rd party solution to avert the damage being further happening?
– Your password has been expired, please click here to reset the password
– You have received a parcel – please click here to check details
– This person has shared a file with you
Sound familiar? These are just few of those crafty looking emails out there that is trying to steal user credentials.
EOP is always good when it comes to identify dodgy links and attachments, but no filter is 100% perfect. So, it’s better to know the manual ways of purging items.
The PDF includes a link so the user clicks on it, it opens up a fake Office 365 Login page. Most of the time it can be from a temporary domain or from a compromised SharePoint site. I’ve seen the SharePoint sites are the new trend and Office 365 trust SharePoint so the attackers don’t have to worry about the authenticity of their URLs.
These sorts of attacks have a domino effect and there is a high chance of a non-tech savvy person fall into it and enter the company email address and the password.
This article is not about how you can stop it being from happening, but its on how to stop the said domino effect. Search and Destroy as I like to call it.
Office 365 Limits
Microsoft has implemented some hard policies on emails (which is in their EXO Service Description)
Recipients in one email: 500
Emails can be sent in one minute: 30
However, a Distribution list address counts as one recipient, which doesn’t fully support the above limits.
Imagine the mailbox has been compromised and now as the Office 365 Admin, you are responsible of taking care of stopping the domino effect.
I came up with some steps with my own experience. Hope this will help you.
My steps involves
1 – Reset the user’s Office 365 Login password
2 – Use Azure AD to see the Risk Login events
3 – Do a Mail Flow Trace to identify the recipient mailboxes
4 – Search and Destroy protocol
5 – Some housekeeping – Important
Use of Search-Mailbox cmdlet will be deprecated as per Microsoft. My attempt is to go though the new commands from the Compliance Center.
Reset the user’s Office 365 Login password
As the 1st step you need to reset the AD password of the user if this a hybrid setup or reset the password from the Office 365 portal, so the attacker’s access to the mailbox will be disconnected.
Use Azure AD to see the Risk Login events
Open Azure Portal > Azure AD > Risk Events
Look for the IP address similarities
You can see all the IP addresses if your tenant identifies a login as a risk login based on the IP address reputation and the location.
Chances are you might probably see the same IP address or the location being listed with other user logins.
Reset those user passwords as well to minimize the damage. This is a security measure.
Do a Mail Flow Trace (optional)
Use the EXO portal and use the compromised mailbox’s email address as the sender and as soon as you hit enter, chances are you’ll see the same email has been distributed to few hundred users.
* You can only advise the external recipients not to click on the email as a courtesy. However obviously you are not able to check their end.
3.1 Get the Message ID
Go to Security and Compliance Center on https://protection.office.com
Go to Mail Flow > Message Trace > Start a Trace
Get the Message ID (s) of that email
Connect to EXO Powershell (https://bit.ly/2Is8XAp) and the run the below command and export the users list to an CSV file. This is because Mail Flow command is not available in the Compliance Center Powershell commands list.
get-messagetrace -messageid <message-id> | select recipientaddress | export-csv D:\filepath/mailboxeslist.csv
Search and Destroy protocol
We can use the above exported CSV file to search the email from those mailboxes if it’s for hundreds of mailboxes or if its for smaller number, running that commands will be time consuming
Full list of searchable items can be found here. https://bit.ly/2OIaylr
My example will be on the subject AND attachment name so it can be narrowed down.
Permissions to be assigned before this process
Account that run the below commands should be in
eDiscovery Manager role group and Compliance Search role group.
To purge messages – Be a member of Organization Management role group or Search and Purge management role
Connect to Office 365 Compliance Center PowerShell https://bit.ly/2HEhEYI
If you have MFA setup for Powershell connect-IPPSSession
My commands are only for the location: Exchange. You can use OneDrive for Business, SharePoint as other locations as well.
For a single user (I have used the subject and the attachmentnames properties to narrow down my search)
New-ComplianceSearch -name testsearch3 -ExchangeLocation username -ContentMatchQuery ‘subject:”Test Com search 1” AND attachmentnames:attachment1.txt‘
And run Start-ComplianceSearch testsearch3
Get the detailed status of the Compliance Search
get-ComplianceSearch testsearch3 |fl
To identify an item from all exchange mailboxes (locations)
New-ComplianceSearch -name testsearch3 -ExchangeLocation all -ContentMatchQuery ‘subject:”Test Com search 1” AND attachmentnames:attachment1.txt‘
And run Start-ComplianceSearch testsearch3
You will be able to see it in the Compliance Center > Search > Content Search
To delete an item from more than one user, but not from all the users
Use the Compliance Center portal https://protection.office.com
Search > Content Search > New Search > Guided Search > Provide the name (eg: testsearch3) > Specify the location (select Specified Location) > You can enter the mailbox names (teams, groups and etc.) > Add Keywords and add conditions and run the report. You will see the results if there are any.
Click on that and it will open the stats for that search. Click on View Results to see the results.
These will be helpful for you to investigate any issues. You can also download the Original Item as well.
Purge the item(s)
A word of caution! Search and purge is a powerful feature that allows anyone that is assigned the necessary permissions to delete email messages from mailboxes in your organization.
New-ComplianceSearchAction -SearchName testsearch3 -Purge -PurgeType softdelete
You can also run Get-ComplianceSearchAction testsearch3 to see the status of that.
Soft Delete will delete the email item from the mail folder and from the Deleted Items Folder
HardDelete will remove from “Recoverable Items” folder as well.
Check for user’s mailbox rules
Every time when there was a Mailbox compromise, the attacker would set a mailbox rule to ignore/ delete all the Out of office messages or any delivery failures, so the mailbox owner would not see any anomalies in the mailbox.
Manage the mailbox via EXO Console > Organize Email > Inbox Rules to see the rules setup. There is a chance of you might see something like this.
Delete the rule immediately and advise the user to check their Deleted Items folder to see if there any any important emails have deleted.
Chances are the the sender address has been blocked by Office 365 now because it sent SPAM. Use the below command to check and Unblock account
Unblock the user account so they can resume sending emails
See if this mailbox has been blocked from sending emails
To remove the blocked address
Remove-BlockedSenderAddress -SenderAddress <email_address>
Also consider activating MFA for the user accounts as a 2nd layer of Identity protection. This might give bit of a noise at first, however this can prevent a lot of ID theft and mailbox compromises
It looks bit long but you can be sure that phishing email item is now not in your environment anymore.