I don't even know where to start, but I'll give it a try:

 

I'm being a little sarcastic, but did you follow the incident response plan? If there is no incident response plan, I think now is the time to create one.

 

That being said, you're saying he asked to change the bank account number to his bank account number. You have this account number I guess right? That's valuable information.

 

You're also saying he managed to transfer some money to this account. I think you need to create a police report as well for theft.

 

"When I checked somewhere, I heard about a malware which can work on the outlook and change the rules on the exchange as long as user is running outlook."

 

 

I'm not sure what you mean by that, but malware can do anything a computer do, so I'm not surprised it changed anything.

 

About the malware ... What I see often is that admins are cleaning the malware and say "Pfew, that almost went wrong". Never delete anything in an incident response. If there was malware, you deleted all the evidence and you have no idea what the malware did. Like I said, if you have an incident like this I think it's better to call the incident response team and let them handle it. This way a chain of custody can be created. When deleting the malware, there's no way you can check all other machines as well. Sure, you could scan them, but in the registry there could be pointers to an executable which you could have blocked or scan all other machines to prevent the spread of the malware if there is any.

 

"Not sure if his entire PST is hacked?"

 

I am not sure how you can "hack" a PST file. A PST file is an offline "database" with email. If he managed to get malware on this machine, I'm pretty sure he can do anything he/she liked.

 

Ok, MFA should be enabled on ALL mailboxes. Not just this one. People should be trained properly with security awareness programs so the changes the get "hacked" is lower. Are you using O365 Score? Security and Compliance? There very helpful.

 

Don't rely on virus-scanners. Hash-based doesn't make sense these days and heuristics are getting much better, but doesn't guarantee any machine from being infected.

Santhosh,

I concur with a significant amount of what Raymond said.

(1) Involve law enforcement as quickly as possible. Digital evidence is simultaneously the least perishable but some of the easiest to damage or destroy. They can also get evidence that you can’t.

(2) Involve an incident response team. If you do not have one, hiring one through a security vendor is an option.

(3) Involve ALL your external stakeholders. That includes your bank, your ISP, and apparently Microsoft. They can all provide information and assist in recreating the timeline of events and identify the method and source of any attacks. They may also be victims of an intrusion and not know it.

(4) Do a password audit. I know it seems silly, but a lot of people still use one of the top 1000 passwords (read “P@$$w0rd”) and think they are so clever no one will ever guess it. Then they reuse that password for everything, including typing it in the clear on an unsecured WAP as their hotspot login credentials.