Advice: Recovering ...
 
Notifications
Clear all

Advice: Recovering Office 365 Contacts

Alipford
(@alipford)
New Member

Hello,

One of the clients at my company was attacked with a phishing email. Somehow an email with a malicious attachment, that appeared to be from the financial manager, was sent out to everyone in the company. Now, the financial manager has lost all of his Office 365 Outlook contacts. I wanted to know if you can share possible forensic solutions to retrieving the contacts. I know of many forensic solutions, but has anyone had success with a specific one for this type of issues? We have tried all Office 365 recommendations for recovery. Also, can you share the possible ways an attacker could gain access to the financial manager's Office 365 account without physical access to their computer system (if any) to send out emails.

I appreciate any advice you can give.

Thank You,
Angela

Quote
Topic starter Posted : 13/08/2018 11:14 pm
hectic_forensics
(@hectic_forensics)
Junior Member

Hi Angela,

Have you tried to do an e-Discovery collection of the account in question? My understanding is that 90 days worth of 'deleted' data would be retained so perhaps you may be able to recover contacts that way? At the organisation I work for we tend to keep a lot of our Executives on litigation hold and take regular backups of accounts for assurance.

With regards to how the compromise could have happened, there are a few possible ways, most likely a phishing email, where O365 credentials have been phished for and successfully obtained. 2FA is a way of preventing this - and will go someway to protecting you if it is enabled. The Microsoft Authenticator App is used widely in our organisation successfully.

ReplyQuote
Posted : 14/08/2018 1:47 pm
Alipford
(@alipford)
New Member

Thanks so much for the fast reply. I just started working for them and realize they need to implement quite a few missing security safeguards so there is a job to do. I did not try ediscovery. I will try this.

Thanks

ReplyQuote
Topic starter Posted : 14/08/2018 2:44 pm
Share:
Share to...