Security
--
Questions
--
Followers
Top Experts
Hello - we are looking for help with a cyber security issue we've just experienced. We had a user who received an email from someone and got them to enter in their Microsoft credentials, which they captured. Somehow after that, they were able to add 2 more authentication methods to the users account, thereby allowing the attacker to log in as them on the Cloud and manipulate their email rules and then they started emailing out other phishing emails to people and also responding as the user to people. We have since locked down the account and kicked out the attacker. What we want to look into is a) how were they able to add these other AUTH methods? and b) what are some ideas on how to prevent this from happening so easily.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
The crooks could have sent a keylogger, or a remote control utility, like logmein via that email, which was then installed & ran in the background. With that they were then probably have been able to logon to the M$ account directly via a Web-Browser & change the settings there.
Having the user logon with a standard user account rather than an Admin account can help avoid such "malware" from getting installed.
The other best method of prevention is to educate the users so they don't open E-Mails they don't expect or they don't know whom they actually originate from. Also, they shouldn't go to Web-Pages that are in anyway suspect. They should also never Reply to E-Mails which tell them to open a link & enter their credentials, or they should at least inspect those links for discrepancies.
User Education is always the best method to minimise such issues!
Did the user include a 2FA authentication from the attack? How was it delivered?
the user didn't have 2FA enabled so the attacker got the username and password. The attacker could now then login as the user and do whatever they wanted.
if the user had already had enabled 2FA then the logon would not have succeeded.
User education and testing is paramount.
Knowbe4 is a good resource for educating your users.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
hey guys - thanks for your feedback here. yeah we use a phishing awareness training SAAS (KnowBe4) to educate our users and these 2 guys are very smart too - it was a matter of timing that caused the drop their guard, which was they had just visited someone at a company we're doing business with the day prior, and then they happened to receive a fake DocuSign from that person the very next day - they thought it was legit because of that and they dropped their guard. They are not admins on the PC so somehow the attacker was able to execute PowerShell or something allowing them to utilized the “authenticated” status of their sessions, is my guess, that allowed them to add an AOTH token as well as authenticator app to the user's already existing SMS method. So his MFA was indeed enabled, but the atrtacker was able to get around it - I'm assuming by gaining access to the user's Windows session.
a) Once they are signed into www.office.com, they can click the user icon in the upper-right, click View profile, click Update info under Security info, Click Add sign-in method.
b) training - you can't help them from themselves without training. There may be a way through your endpoint security to harden and detect malicious links.
Lastly, as admin, sign into Entra, find the user and click Applications to see if there are any unauthorized applications listed. If so, click it and Remove.
maybe spearphishing if the victim is privileged user such as admin of entraid which can be recognised in victim social media profile. qns is whether the victim been phished before and whether he/she has been a victim for past phishing exe. human is last line of defence.
you cannot stop human mistake, neither we can hide one's role as one of the few privileged users, or stop user from using email and even hav thier own housekeeping email rules.
so i will rely more on anomalous email activities and changes by admin at the backend login activities of such user since changing email rule of acct, is either you have the other user acct otherwise you can change as the admin on - https://learn.microsoft.com/en-us/exchange/troubleshoot/user-and-shared-mailboxes/set-automatic-replies
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
See your last comments @Damian - this might easily be an Adversay-in-the-Middle attack. When the user logs in, performs MFA - the token, with a valid MFA claim is stolen - and attackers can use this to access services in your Microsoft cloud environment. To avoid this, you need phishing resistand methods, as mentioned above.
user education is always good, but with AitM attacks, the attacker proxies the user to the service they want to access, so they likely suspect nothing.
AitM: https://techcommunity.microsoft.com/blog/microsoftsentinelblog/identifying-adversary-in-the-middle-aitm-phishing-attacks-through-3rd-party-netw/3991358
Thanks for everyone's help - much appreciated. Going to close the thread
Security
--
Questions
--
Followers
Top Experts
Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection. Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.