Hacked Office 365 account
Hacked e-mail account help required.
Last night a client received an e-mail that starts out:
My nickname in darknet is konstantine23.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.
They then list the actual password correctly to her account. It is an Office 365 account. She does access her account on her personal laptop, which I will have this afternoon in my possession. I am currently scanning her work computer, and having everyone else check for the same e-mail in their SPAM folder (Where she found hers). We are in process of changing password to all of her online accounts (Including e-mail) on another computer, not part of their network. The business does have a UTM router in place, and logs will be looked at next. TDSS Killer did not find any rootkits, but more scanning will be done.
Looking for information on this possible.
Last night a client received an e-mail that starts out:
My nickname in darknet is konstantine23.
I hacked this mailbox more than six months ago, through it I infected your operating system with a virus (trojan) created by me and have been monitoring you for a long time.
They then list the actual password correctly to her account. It is an Office 365 account. She does access her account on her personal laptop, which I will have this afternoon in my possession. I am currently scanning her work computer, and having everyone else check for the same e-mail in their SPAM folder (Where she found hers). We are in process of changing password to all of her online accounts (Including e-mail) on another computer, not part of their network. The business does have a UTM router in place, and logs will be looked at next. TDSS Killer did not find any rootkits, but more scanning will be done.
Looking for information on this possible.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it is a scam but they do (or may) have your password, I agree with what you are doing and recommend changing this password and any password on other accounts which use the *same password (or derivatives of the same password)* they now have.
For me, I use a password database and group / tag each account not only by logical groups (i.e. Switches, Routers, Personal, Email, etc) but I also group / tag based on passwords and derivatives. For example, let's say I have a password of "password". I would group / tag any ID using this as "Password 1". Next, I decide to use "P@ssword" ... I would group / tag any ID using this as "Password 1a" (with an "a" since it is a derivative of the basic password pattern of "Password 1". I do this for all of my ID's in the database because ... if an account gets hacked / exposed with a pattern of "Password 3d", then I change *all* accounts using derivatives of "Password 3". For me, it makes "breach management" much easier.
I have been moving to "Password Random" for most accounts, so I'm not exposed on any other accounts until the vendor's breach becomes public ... which can take some time before they learn about it and everyone knows. Just some thoughts to speed up the process should it happen again in the future ...
For me, I use a password database and group / tag each account not only by logical groups (i.e. Switches, Routers, Personal, Email, etc) but I also group / tag based on passwords and derivatives. For example, let's say I have a password of "password". I would group / tag any ID using this as "Password 1". Next, I decide to use "P@ssword" ... I would group / tag any ID using this as "Password 1a" (with an "a" since it is a derivative of the basic password pattern of "Password 1". I do this for all of my ID's in the database because ... if an account gets hacked / exposed with a pattern of "Password 3d", then I change *all* accounts using derivatives of "Password 3". For me, it makes "breach management" much easier.
I have been moving to "Password Random" for most accounts, so I'm not exposed on any other accounts until the vendor's breach becomes public ... which can take some time before they learn about it and everyone knows. Just some thoughts to speed up the process should it happen again in the future ...
ASKER
It turns out it was a breach earlier this month with Kotter Group. Changed passwords and wait to see if they e-mail again.
Sounds good. Glad to help. :)
Due to the nature of this, would it be possible to get an access log from Microsoft and at least nail down who has logged into this account over the last 6-12 months? If Microsoft would provide this, you may be able to do the same for other accounts to at least get an idea of where this came from then do more research based on that.
Otherwise, for scanning this and what to do ... I'm open to others on that ...