It's possible that the spam was sent through a forwarded email address that the user didn't know about. Here are a few suggestions that may help:Ĭheck the user's email forwarding settings. It sounds like you've taken some good steps already in terms of resetting the password and doing a malware scan. Hi Stuart, I'm sorry to hear about the email compromise. The only way to get this is to pay MS an additional £225 a month for our tenant to get Conditional Access policies, which seems like a lot to get what I'd consider to be a basic security feature. IP checking and enforcing a new MFA prompt for each new IP address used seems to be the only way forward for better protection.
Yet if signing in with Azure AD, I think OWA must use the AAD refresh token, because I am not prompted to re-auth with OWA after 6 hours of inactivity. But I cannot see any other explanation.Īccording to this article Opens a new window the session timeout for Outlook Web App (which is how they got in) is 6 hours. We do reinforce the "don't click links" message fairly regularly, and staff will forward me suspicious emails to check. I'm convinced now that my user must have been phished at some point. I watched the Kevin Mitnick demo of this on YouTube last night and was honestly shocked at how easy this is to do.
But as Roger (KnowBe4) points out in his article, it does nothing to prevent cookie stealing. I turned number matching on for our tenant last night - decided not to wait until MS switch it on automatically. Would welcome any suggestions as to where else I should look, and if there is anything I should do that I haven't already thought of. Microsoft's line is that someone has somehow got the MFA accepted on the phone and used it to gain access. He says definitely not, and on weekends his phone is set to DND and kept in a drawer and not touched. I checked with the user whether he has had any MFA prompts on his phone, especially on Saturday 25th.
Looking further back, we have another suspicious login on 25 Feb (a Saturday) which was stopped by MFA, but says that MFA was successfully completed. It shows the IP address that sent the spam signing in a few times, and the MFA requirement shows as "previously satisfied". After an hour to-ing and fro-ing where they seemed more concerned with the fact the account "is now secure and this won't happen again" and trying to upsell me to Azure AD Premium, I managed to get them to show me how to find sign-in audit logs in Azure. No SMS allowed.Īfter doing the usual checks, password reset, malware scan etc I got MS involved. Thing is, all our M365 accounts have mandatory MFA, and the only method we use to accept / reject is via the MS Authenticator app. one of our users has had their email compromised and used to send a shed-load of spam.
0 kommentar(er)
