In today’s digital age, cyber security incidents are becoming increasingly common and sophisticated. Recently, our team encountered a significant cyber incident involving unauthorized access to a customer’s Microsoft 365 services. This blog post will delve into the details of the incident, the steps taken to mitigate it, and best practices to prevent such occurrences in the future.
A customer, who we supply occasional, ad-hoc IT Support to, contacted us yesterday with some odd email behaviour. They were simply not receiving any emails. In the nature of trying to self-solve, they had deleted their email from their computer, and had tried to re-add the account, and were getting a password error. All of this was reasonably innocuous, so, when we answered the call, we jumped in and had a look. The customer, whilst chatting while we looked at her issue mentioned in passing that she had had a weird thing happen a couple of weeks ago with an email that a supplier had sent to her, but ‘that was ages ago so this can’t be related’. 🚨🚨🚨 Trigger the alarm bells. 🚨🚨🚨
Turns out, this lovely lady, who manages accounts for this business, had had a business email compromise (BEC), some 2 weeks ago, and was oblivious to the fact.
Business Email Compromise – What is it?
We have all heard about phishing 🎣, where scammers trick you into giving away your credentials, well, a BEC is when they actually get them. That is when the malicious people get into your stuff and use the information they have gathered to ultimately try and gain financial gain. In the case of this accounts person, she had a very long list of email addresses of people who the 20+ year old business had worked with over the years, and she also had access to their accounting system and was the very one who sent all the invoices to their customers, for all the hard work that they do for them on a regular basis. The rest, you can put together.
The Incident: A Case Study
In the below sample, here is a breakdown of what happened. Its a bit dry, so if this is too long to read, please scroll down a bit for the advice.
On March 30, 2025, an ad-hoc customer experienced unauthorized access to their Microsoft 365 services, which lasted until April 15, 2025. They contacted us due to some lockout issues on their account, totally unaware that they had in fact been breached. The threat actor gained access to several critical services, including email and OneDrive/SharePoint, potentially exposing sensitive data.
Scope of Compromise
- Duration: March 30, 2025 – April 15, 2025
- Services Accessed:
- Email: All emails and contacts
- OneDrive/SharePoint: All data
- Teams: No access detected
- Other M365 Services: None detected, but limited logging capabilities mean this can’t be ruled out (This customer only had Microsoft 365 Business Standard, which limited our investigative capability)
Data Potentially Exposed
- Category 1: All user communications (emails)
- Category 2: All data in OneDrive (multiple formats)
- Category 3: All email attachments (multiple formats)
Evidence of Data Exfiltration
While there was no hard evidence of data exfiltration, it was highly likely due to the nature of the access. Unfortunately, the business standard license did not allow access to logs for OneDrive/SharePoint to confirm this.
Actions Taken
Upon discovering the breach, several immediate actions were taken to contain and mitigate the impact:
- Password Reset, MFA, and Session Revocation: All user passwords were reset, multi-factor authentication (MFA) was enforced, and all active sessions were revoked.
- Removal of Suspicious Mail Rules: Any mail rules that were added by the threat actor were removed.
- Unblocking User Accounts: User accounts that were blocked from sending messages were unblocked.
- Removal of Malicious Files: Any malicious files identified were removed.
Investigation Methods
To understand the extent of the breach and gather evidence, the following methods were employed:
- Microsoft 365 Unified Audit Log Analysis: Comprehensive analysis of audit logs to track user activities.
- Entra ID Sign-In Log Examination: Reviewing sign-in logs to identify unauthorized access.
- Email Content Review: Examining email content for any signs of compromise.
- OneDrive Content Review: Checking OneDrive for any unauthorized changes or access.
- Programmatic Shell Access via PowerShell: Using PowerShell scripts to automate and streamline the investigation process.
Preventing Future Incidents
While responding to incidents is crucial, preventing them is even more important. Here are some best practices to enhance your organization’s cyber security posture:
1. Implement Strong Authentication Mechanisms
- Multi-Factor Authentication (MFA): Enforce MFA for all users to add an extra layer of security. This may need an upgrade in the version of Microsoft 365 you are using.
- Password Policies: Implement strong password policies, including regular updates and complexity requirements.
2. Regular Security Audits and Monitoring
- Audit Logs: Regularly review audit logs for any suspicious activities.
- Continuous Monitoring: Implement continuous monitoring tools to detect and respond to threats in real-time.
3. Employee Training and Awareness
- Phishing Awareness: Conduct regular training sessions to educate employees about phishing attacks and how to recognize them.
- Security Best Practices: Promote best practices for handling sensitive information and using company resources.
4. Data Encryption and Backup
- Encryption: Ensure that all sensitive data is encrypted both in transit and at rest.
- Regular Backups: Perform regular backups of critical data and ensure they are stored securely.
5. Incident Response Plan
- Develop a Plan: Create a comprehensive incident response plan that outlines the steps to take in the event of a breach.
- Regular Drills: Conduct regular drills to ensure that all team members are familiar with the response procedures.
Conclusion
Cyber security incidents can have severe consequences for any organization. By understanding the nature of these incidents and implementing robust preventive measures, you can significantly reduce the risk of unauthorized access and data breaches. Stay vigilant, stay informed, and prioritize cyber security to protect your organization’s valuable assets.
