Avatar of Pau Lo
Pau Lo
 asked on

phishing attacks and exploits

If someone manages to compromise your user credentials/account via a phishing email (office365 email account in this case) what is there typical objective(s) in doing so, and how would they typically follow that through to the next stage. I would have assumed if there target would be to steal emails they would not just casually start forwarding them on to an external address?  Trying to determine what they may or may not do if they do get a victims credentials would be interesting. there must be something in it for them but to determine what that is and how they execute 'phase 2' once access is achieved would be most useful,
VulnerabilitiesEmail ServersMicrosoft 365Security

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Alex

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Pau Lo

ASKER
>I'd yank the entire address book
would exchange/office365 capture yanking of the address book though? Or could they be done discretely with access.
SOLUTION
masnrock

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Pau Lo

ASKER
'Then at least one of the following' - I assume this would all be automated not manual process by whoever got the compromised credentials, and typically sophisticated enough to leave little traces of what they did do.
masnrock

Azure logs would have at least some information to assist. But count on them covering their tracks.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Pau Lo

ASKER
>Azure logs would have at least some information to assist

would they just be connections though rather than specific actions?

>But count on them covering their tracks.

what kind of techniques would they use to cover their tracks if theyd only compromised a standard user acct.
SOLUTION
Brian B

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
btan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Pau Lo

ASKER
>What kind of techniques? Normally, things so you couldn't discover what they sent, such as removing sent and deleted items

>During this reconnaissance phase of an attack, cybercriminals will even set up new mailbox rules to hide or delete those emails they have sent from the compromised account.

thank you for your input, but would they really be able to wipe/hide entries from central message trace logs if all they compromised was a standard user account, I assume an admin could, but not a standard user. The downloading of the mailbox makes some sense though to avoid detection and forwarding of emails which are more likely to leave a trace. .Just interested technically how they would do such a thing with standard user privileges.
SOLUTION
kenfcamp

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

If it is not insider doing, the audit trails would have surfaced and the details can be articulated in the recordtype and more, just make sure it is not been overridden and still there..

https://docs.microsoft.com/en-gb/microsoft-365/compliance/detailed-properties-in-the-office-365-audit-log


But many a time, either auditing is not enabled or modified due to upgrade or misconfigured etc, the short it is not foolproof. 


As you mention, the technicalities is of interest and you can find it in the below.


The release of a security research tool called Ruler enables an attacker to install a persistence mechanism once an account has been breached to maintain access even through a password roll.


https://docs.microsoft.com/en-gb/archive/blogs/office365security/defending-against-rules-and-forms-injection


Another is via such interface. Key is even user mode is good enough to do very stealthy stuff.


The Microsoft Messaging Application Programming Interface (MAPI), is “… a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages….”. Furthermore, according to Microsoft “… MAPI also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system.”



⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.