Showing results for 
Show  only  | Search instead for 
Did you mean: 
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wielrd security incident.. of Office365 rules modification...

I need some valuable advise and recommendations on the below incident 
A malicious user was able successfully enter into one of the finance employee's email ID and was able to trace the messages. And he has then sent few emails to the customer asking them to change the bank details from the existing to his own account. However, he couldn't send an email from the organization domain as DKIM/SPF and DMARC enabled on that. Instead he sent an email from his own domain with display name as employee name. 
As a second level, he was able to change the rules on the Office365 OWA direct so that any email with certain subject should be deleted from the employee's inbox. 
When I checked somewhere, I heard about a malware which can work on the outlook and change the rules on the exchange as long as user is running outlook.
This way the malicious user cheated and redirected some funds into his accounts, and by the time the employee realized it was too late. 
One observation was that, the employee's machine did not have endpoint security and he was using Airtel & Jio hotspot while traveling when the initial attack must have happened.
Not sure if his entire PST is hacked? We have asked him to stop sending the emails now and communicated to the customers. 
Cleaned the system with Malwarebytes, Sophos Endpoint Central. Malwarebytes reported some registry entries only as threats. 
Enabled MFA on the office365, encryption on emails, audit on the mailbox as of now.
What else should I be checking to ensure that the entire org is also safe and tighten it so that it may not occur again.
4 Replies
Newcomer III

I don't even know where to start, but I'll give it a try:


I'm being a little sarcastic, but did you follow the incident response plan? If there is no incident response plan, I think now is the time to create one.


That being said, you're saying he asked to change the bank account number to his bank account number. You have this account number I guess right? That's valuable information.


You're also saying he managed to transfer some money to this account. I think you need to create a police report as well for theft.


"When I checked somewhere, I heard about a malware which can work on the outlook and change the rules on the exchange as long as user is running outlook."



I'm not sure what you mean by that, but malware can do anything a computer do, so I'm not surprised it changed anything.


About the malware ... What I see often is that admins are cleaning the malware and say "Pfew, that almost went wrong". Never delete anything in an incident response. If there was malware, you deleted all the evidence and you have no idea what the malware did. Like I said, if you have an incident like this I think it's better to call the incident response team and let them handle it. This way a chain of custody can be created. When deleting the malware, there's no way you can check all other machines as well. Sure, you could scan them, but in the registry there could be pointers to an executable which you could have blocked or scan all other machines to prevent the spread of the malware if there is any.


"Not sure if his entire PST is hacked?"


I am not sure how you can "hack" a PST file. A PST file is an offline "database" with email. If he managed to get malware on this machine, I'm pretty sure he can do anything he/she liked.


Ok, MFA should be enabled on ALL mailboxes. Not just this one. People should be trained properly with security awareness programs so the changes the get "hacked" is lower. Are you using O365 Score? Security and Compliance? There very helpful.


Don't rely on virus-scanners. Hash-based doesn't make sense these days and heuristics are getting much better, but doesn't guarantee any machine from being infected.

Advocate I


I concur with a significant amount of what Raymond said.

(1) Involve law enforcement as quickly as possible. Digital evidence is simultaneously the least perishable but some of the easiest to damage or destroy. They can also get evidence that you can’t.

(2) Involve an incident response team. If you do not have one, hiring one through a security vendor is an option.

(3) Involve ALL your external stakeholders. That includes your bank, your ISP, and apparently Microsoft. They can all provide information and assist in recreating the timeline of events and identify the method and source of any attacks. They may also be victims of an intrusion and not know it.

(4) Do a password audit. I know it seems silly, but a lot of people still use one of the top 1000 passwords (read “P@$$w0rd”) and think they are so clever no one will ever guess it. Then they reuse that password for everything, including typing it in the clear on an unsecured WAP as their hotspot login credentials.


Thank you for the insights Thalpius. Let me work on the steps mentioned.
Community Champion

Change the user's email address. Once you have a compromised account that was used to successfully steal financials, it will be targeted for the rest of that user's email life. If this attacker gets tired of trying they can possibly sell the info and then a new batch of attacker will try.