12 Steps to Secure Your Organization’s Office 365 Accounts Effectively
Recently, our Incident response team at HAWKEYE received a frantic call from one of our clients saying that their o365 email accounts seems to have been hacked. One of their investors received an email from an attacker asking them to transfer a huge amount of money to the client with the bank account details.
The email was sent as a follow up to an original email sent from our client, so that the investor did not have anything to suspect. Luckily the Investor already had the actual bank account details and the money was transferred to the right account belong to the client. On reviewing the bank account details shared in the email, the investor felt something abnormal and notified our client.
The primary question was how the attacker got a copy of a copy of the original email. There were many odds to suspect.
It can be:
- An insider attack: where one of the recipients of the original email intentionally forwarded the email to the attacker
- One of the recipient’s o365 account is compromised and the attacker was able to login to o365 webmail to view the emails
- One of the recipient’s laptop or mobile phone was compromised where an email client is configured to review all emails.
- The partners email account is compromised, so that the attacker has visibility to all the emails received by them.
- And so on.
After detailed investigation on each email accounts part of this email and running through almost 200000 o365 logs, we concluded that one of the recipients had an auto-forward rule configured to the attacker’s email address without the user’s knowledge. Further digging in to it revealed that the user had received an email few months back with a Phishing payload. The email posed as one from the HR of the company. He clicked on the attachment that prompted him with a disguised o365 Login page. He had logged in with credentials and OTP. So, the attacker was able to login to the user’s webmail account and configure the auto-forward rule. How smart....
While most of the organizations move their email to o365 cloud to use ease of management, this brings us the question: How can we protect o365 email accounts? Here are 12 steps that must be implemented to protect o365 email space.
- User awareness training
- Protect your admin accounts
- Set strong password policy
- Multi Factor Authentication (MFA)
- Disable Auto-forwarding rules
- Encrypt your office messages
- O365 Anti Malware protection
- Protect against Ransomware using Mail Flow Rules
- Protect against Phishing with o365 Advanced Threat Protection
- O365 Safe Attachments
- Effective protection at End points and email clients
- Monitor o365 logs with SIEM Solution
How can we protect Office 365 email accounts? To read more in detail, please click here.