Can anyone recommend any useful articles/reading on investigating potential compromise of office365 mailboxes (and credentials) via a phishing email attack specific to what level of compromise of the mailbox and content did or did not take place whilst the credentials and therefore mailbox was 'vulnerable'.
The exchange message trace logs do not show any worrying forwarding of emails around the time and after, and inbox/forwarding rules/autoforward's have been ruled out, credentials changed etc, but we need to see what (if any) artefacts could help determine the extent of the damage whilst the account was potentially vulnerable. Any guidance in general on useful artefacts if you have had similar but specifically for the office365/exchange online platform most welcome.
We have access to the all the relevant 365 logs and a PST representation of the mailbox itself although I'm not overly convinced what evidence there will be in the mailbox itself that will really prove anything (could be wrong).
Any sort of realistic warning what may / may not be provable if its a sophisticated attack/compromise is also welcome, but for the record the account which may have been compromised was a basic user account (no form of administrative privileges).
How have you determined this to be phishing if you have not examined the mailbox or users devices yet? You need to be considering the wider security picture and attack vectors such as phishing, malware, brute-force etc.
Parse the PST and extract the embedded URLs, IP addresses, attachments etc, apply your threat intelligence and look for any indicators of compromise. Carry out threat research on any identified IOC's to help support the investigation. Have you examined the sign-in logs, any unauthorised IP addresses accessing the users mailbox or can you see a pattern of brute-force attempts to access the account. Unified audit logs will retain alot of activity associated to the user such as new rule creation, accessing files etc. What about mailbox audit logs, sign-in, other security alert logs associated to Azure AD? Can you examine the users devices? Maybe there is credential stealing malware sat on their computer harvesting data, which you could reverse-engineer and identify what its targetting.
In terms of account security, what security configurations of Azure AD or/and O365 are in place. Might be worth doing a security audit of those platforms.
How have you determined this to be phishing if you have not examined the mailbox or users devices yet? You need to be considering the wider security picture and attack vectors such as phishing, malware, brute-force etc.
Parse the PST and extract the embedded URLs, IP addresses, attachments etc, apply your threat intelligence and look for any indicators of compromise. Carry out threat research on any identified IOC's to help support the investigation. Have you examined the sign-in logs, any unauthorised IP addresses accessing the users mailbox or can you see a pattern of brute-force attempts to access the account. Unified audit logs will retain alot of activity associated to the user such as new rule creation, accessing files etc. What about mailbox audit logs, sign-in, other security alert logs associated to Azure AD? Can you examine the users devices? Maybe there is credential stealing malware sat on their computer harvesting data, which you could reverse-engineer and identify what its targetting.
In terms of account security, what security configurations of Azure AD or/and O365 are in place. Might be worth doing a security audit of those platforms.
Thanks for your reply, a preliminary analysis of the phishing email did take place as it got through to a number of others. It was more the post-event process to determine what the user clicking the malicious link may have caused in terms of data leakage etc.
It has led to a far amount of remedial work on security in general, user education and a review of various settings and policies.
Working through the unified audit logs/AD logs later today.
Can anyone recommend any useful articles/reading on investigating potential compromise of office365 mailboxes
You can start with https://
From my experience and recent cases I worked on even if it is a "normal" user, the crooks use the access to the enterprise-wide adress book and then send very good and targeted phishing emails to VIP/ people in HR and Finance! Last year I investigated a case where a CFO of a well-known company in the EU clicked on such a spear phishing email… no names here -) And this case began with malspam to a "normal" user, too. In *all* similar cases I had, gangs from Nigeria were behind this crime. So my advice check your proxy/ firewall/ IDS/ IPS/ SIEM for outgoing connections to Nigeria or any other country you do not do any business with. More people could have clicked on a link in a wrong email.
Last but not least and I can only mention it over and over again Attackers come back. Tell your users to be very cautions and triple-check every incoming email from unknown and *known* senders.
regards, Robin
Thank you for your pointers.
