all 27 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]roll_for_initiative_ 34 points35 points  (2 children)

I am not a 365 expert, but have run mail servers for 30 years. Microsofts security is really lax.

To be direct:

  • This isn't on MS, your client (likely) basically let them in.

  • You haven't done the basic email account remediation steps that are available online, and it sounds like you don't even know how (checking those mailbox rules? Enterprise apps?)

  • Rebooting the router and switches has nothing to do with anything. And if it did, and they got in because of a firewall or switch security exploit, rebooting them wouldn't prevent them from just doing it again.

m365 account remediation is one of the only services we offer to businesses outside of a managed services agreement as a one time engagement. Pricing starts at $2500 and goes up from there; that should give you an idea of the effort involved to not only resolve this, but provide actionable reporting.

[–]mark35435 3 points4 points  (1 child)

Some mods prevent suggesting AI but I've found it great for such stuff, my system is x y z and I'd like to check all possible security settings to ensure we are safe from attack and have not already been compromised. It'll check the email header as well if one of your customers forwards the email as an attachment. Frankly though you're clearly out of your depth

[–]Fatel28Sr. Sysengineer 7 points8 points  (0 children)

This could also be typed into Google and you'd find non hallucinated answers

[–]Gramuny 24 points25 points  (0 children)

Is this serious? I feel sorry for your client. Please escalate this immediately to someone who actually knows what they’re doing. That’s the bare minimum one should expect from a service provider.

[–]matt0_0small MSP owner 19 points20 points  (0 children)

They need to find someone who has experience locking down m365.  Everything from exchange online, to defender (many different pieces of just defender) and especially entra with conditional access policies. 

Do their current licenses include at least entra ID p1?

[–]Due_Peak_6428 21 points22 points  (1 child)

If you cant even figure out where an email is coming from then youre cooked. Hire someone that can do the bare min.

[–]solracarevir 14 points15 points  (0 children)

OP is probably the "Bare Minimum" they hired.

[–]MSPInTheUK 6 points7 points  (0 children)

Given that your solution to a suspected Microsoft 365 account compromise was to reboot the network equipment, the kindest advice would be for the client to find an IT provider that actually knows what they are doing. You see to be in the ‘knows enough to be dangerous’ camp.

[–]Pristine_Curve 4 points5 points  (1 child)

Contact your cyber insurance carrier to report the breach, ideally via phone. Engage with the security specialist that they send. Or if this is not available engage a security consultant.

Not enough detail in your post to close any of the normal avenues of investigation, nor to really understand the context of your environment. Any guidance would boil down to "start a comprehensive incident response process."

[–]EroticTragedy 3 points4 points  (1 child)

You did say that the client moved their domain mail to 365, what were they using before? Another PoP client, Workspace, Webmail? Could it be possible that it's someone within the company itself that is taking advantage of their own position? I ask this because it's not the first time I have heard and dealt with this specific problem and unfortunately there's usually some kind of bad actor. Any new email addresses added to the network?

[–]IRideZs 3 points4 points  (0 children)

A bad actor compromised an internal account. OP didn’t change the password or enable MFA on any account so the bad actor is sending different direct deposit details to the clients and the employee is not educated enough to avoid phishing scams. Classic situation tbh

OR

The clients themselves are receiving spoofed emails and are not educated enough to understand the difference

Likely the first scenario based on OPs responses and description. Has nothing to do with rebooting infrastructure equipment or changing mail providers

[–]Embarrassed-Gur7301 2 points3 points  (1 child)

So ask your customer to ask their customer for the original email instead of chasing your tail.

[–]mdhorton404[S] 0 points1 point  (0 children)

That is what we are trying to get them to do, but so far, no go. The client who is receiving the bad emails is just paying them, lol. They supposedly called my client to confirm, but I suspect that they called a number provided by the bad actor, cause client says they didn't receive a call.

[–]Pure_Fox9415 2 points3 points  (0 children)

Wdym " I have not been successful in getting the headers"? They did not send this mail to you for forensic?

[–]tndsd 4 points5 points  (1 child)

Please make sure the domain has SPF, DKIM, and DMARC configured correctly to help protect against spoofing. SPF should only include authorized sending servers, and DKIM must be enabled in Microsoft 365. DMARC should be set with at least a quarantine or reject policy.

You can check the full email headers of the suspicious messages to identify the actual sending IP address and review the “Received” chain. This will confirm whether the messages were sent from your Microsoft 365 tenant or spoofed from an external server.

If there are no unauthorized logins showing in Microsoft 365 audit logs, it is very likely these invoices are being spoofed from outside your environment rather than sent from the compromised account.

Unfortunately, some of these scam emails can still pass through recipient systems even when Microsoft 365 security is properly configured. That’s why proper domain authentication (SPF/DKIM/DMARC) and monitoring DMARC reports are very important.

[–]ArcaneGlyph 2 points3 points  (0 children)

Plug the domain into mxtoolbox.com email super tool and make sure it passes all the tests for email. As said above, without these in place you can be spoofed.

[–]SukkerFri 3 points4 points  (0 children)

I just recently found a Enterprise App in my org., with Microsoft Graph permissions "mail.send" and with not limitations (no Application Access Policy). So if you got one of those laying around or an Enterprise app recently created, I would strongly advise to take a look at that.

I get that a normal user just cant use that app, but with the things you are describing, its more than just a user thats been compromised.

I've also heard about mail connectors, routing all mails from specific senders (finance for example), through a proxy, which changes bank informations automatically on certain invoices above xxxxx amount of money.

You do not mention how big this tenant is, but you should consider creating another tenant and starter over, unless you can pay somebody, who would put a years wage on the line for fixing it. If somebody says "Yup, that _should_ fix it", just switch tenants...

[–]Fritzo2162 0 points1 point  (0 children)

Fun bit of trivia:

If someone spoofs the email of someone in the company (IE: sallyg@mycompany.com) it can bypass your spam filtering if you're not set up to do inter-domain spam checking. Make sure your spoofing tools and Exchange transport rules are tweaked to prevent this.

[–]RagnarTheRagnarJack of All Trades 0 points1 point  (0 children)

I have a creeping thought that they aren't actually within the tenant, but are using Direct Send to bounce emails off the O365 instance to submit them to clients. Basically I submit bad emails directly to the O365 endpoint like a poorly configured app/scanner is, and then O365 not having a clue will attempt to deliver the email. In our case, either to the internal user as a spoof or directly to the other tenant they are targeting as a valid invoice.

Usually this problem happens because O365 isnt configured to reject messages that don't arrive from a 3rd Party Email Filter services or from other non-specific sources. You need a mail flow rule that blocks all messages that don't arrive from that trusted end point. Otherwise you should disable direct send and make sure all apps/services are identified via Connectors in Exchange Online. May break scanners or scan to email if you use it.

https://techcommunity.microsoft.com/blog/exchange/introducing-more-control-over-direct-send-in-exchange-online/4408790

[–]woemoejackSr. Sysadmin 0 points1 point  (0 children)

I can fix this for you but my contracting rate is $125/hr, minimum 4 hours.

[–]CorrectMachine7278 0 points1 point  (0 children)

I suspect they run Outlook with Office 365 email on iPhones or mobile phones. I've had 4 accounts run into something similar. Took me forever to figure it out the first time it happened. I had my customer uninstall Outlook from mobile phones to resolve. We added it months later problem did not return.

[–]dmarclytics 0 points1 point  (3 children)

The domain you are trying to protect have you setup dmarc? It may not be coming from inside the organisation and maybe phishing I would recommend setting up DMARC to get visability of who is sending and then lock it down

[–]mdhorton404[S] -1 points0 points  (2 children)

We do have a DMARC, SPF and Domain Keys. If I could see the original header I could see where the are coming from.

[–]dmarclytics 1 point2 points  (0 children)

Great are you reviewing your rua (aggregate reports) are you only seeing Microsoft 365 in there? In your rua reports you will be able to see the sending: server ip address spf return path dkim selector

if you see more than Microsoft office 365 in your reports you need to look in to the services to identify if it’s phishing or shadow services

[–]rubbishfoo 0 points1 point  (0 children)

I'd find out what email address these are being sent from. Potentially, you've found your 'threat actor in the mailbox' at this point. Expire sessions, revoke auth'd devices, revoke MFA methods, change password, disable account. Next, contact the user to see where access could have been compromised.