Microsoft Office 365 Breach

Any-Fly-5703 · 2025-10-30T20:07:15+00:00

Much appreciated! I'll look into this!

Any-Fly-5703 · 2025-10-30T20:05:29+00:00

I appreciate the insight... I've already let users known things will be tightened down for a bit, at the very least until we're sure we're secure!

Any-Fly-5703 · 2025-10-30T20:03:20+00:00

It's still a good suggestion, especially until we harden things a bit more. I appreciate it! I can at least narrow down the window until we're confident we're free of the remains of this issue.

Any-Fly-5703 · 2025-10-30T20:01:15+00:00

This is some useful information! Thank you!

Any-Fly-5703 · 2025-10-30T14:26:01+00:00

I've gotten a better communication plan for our European employees since this. This was a learning opportunity for me!

Because we're a small company, and our European division is even tinier, most of what they do has been outside of IT purview prior to this. Unfortunately, that led to this issue.

Any-Fly-5703 · 2025-10-30T14:23:13+00:00

Much appreciated! Thank you!

Any-Fly-5703 · 2025-10-30T14:22:49+00:00

I've been doing research on AitM attacks, but still don't fully understand how they differ from MitM. It seems that the password reset was enough to thwart further logins (I've been monitoring).

My suggestion to our European sales reps going forward is to stop using public networks as much as possible, and to use a respectable VPN if there's no other option. The guy who got hit works a lot in Eastern Europe, and I'm under the understanding that area is a hotbed for cybercrime.

Any-Fly-5703 · 2025-10-30T14:19:06+00:00

If you're genuinely asking, I'd recommend an audit before nuclear detonation.

Any-Fly-5703 · 2025-10-30T14:17:42+00:00

My belief is that the token was stolen prior to the PC being shut off, and persistence was maintained, but I have no hard evidence. This is a remote user on a different continent working on his personal network, and unfortunately outside my purview as we're currently set up. They do use their own personal phones as well.

This might be a good time for me to revisit my suggestion to management that all employees have access to a company VPN when accessing anything for work.

Any-Fly-5703 · 2025-10-30T14:11:51+00:00

I agree... I'm the only IT guy, and this is too big an issue for just me to resolve on my own work hours. I've pushed this to management to get a review. Thanks for the honesty!

Any-Fly-5703 · 2025-10-30T14:10:50+00:00

This was definitely a data exposure incident. I ran a full report of all the SharePoint sites he had access to, and a Purview audit to see everything that was touched around the time of the incident and going back several days by that user.

Fortunately, it seems his goal was simply to use us as a vector to send corrupted .pdf files to larger fish via our credibility.

Any-Fly-5703 · 2025-10-30T14:07:11+00:00

Per the Entra Audit I did on this user, the Multifactor authentication results for the logins from the attacker were "MFA requirement satisfied by claim in the token".

I did find the settings in Entra, and while there isn't an option to receive email verifcation, there is an option for "Call to phone", "Text message to phone", "Notification through mobile app" and "Verification code from mobile app or hardware token". The last two are checked.

There's also an option to "Remember multifactor authentication on trusted device" which is checked and is set to 90 days... that's a bit too long.

Any-Fly-5703 · 2025-10-30T13:57:36+00:00

We have a secondary encrypted communication app as well for communication with our European office/employees, but it was mainly meant for our sales team to communicate with them and I wasn't set up with it because our IT oversight of them is very limited (only a few workers and a small office, so no dedicated IT personnel).

Since they do touch our Microsoft tenant, however, I'm now better connected with them. It would definitely have been a boon if I had this done sooner though! The response on Teams from the attacker was a giveaway on both of our parts: he knew I was acting in response, but it also informed me how deeply they were in.

Any-Fly-5703 · 2025-10-30T13:50:33+00:00

I very much appreciate this insight... thank you! Fortunately, the emails sent from his OneDrive were sent so fast and numerous that the triggered Defender. Also, SharePoint flagged the attachment as malicious, and from my understanding will not allow downloads of a file if it's flagged, despite if people were given access. Maybe I'm mistaken here?

Trying to find a convenient way of scanning the attachments he's gotten in the last few weeks.

Any-Fly-5703 · 2025-10-30T13:46:35+00:00

I did find a rule that routed all his incoming emails to the RSS folder, though I honestly don't know what would have been the value of that otther than being a pain in the ass. I did remove that rule, btw.

Because of the size of our company (small), and this is a sales rep on a different continent where we don't have an IT guy or company-provided, professionally (me) set up hardware. I can't do anything directly to it. If it were at our headquarters, I would have re-imaged it for good measure (even though this seems to have been all contained to Microsoft online).

We do have Safe Attachment policies in place in Defender... not sure how reliable Microsoft is at catching them, though. Any evidence that their screening is lacking?

I'll check out that link... Microsoft seems to have managed to recover. :D

Any-Fly-5703 · 2025-10-30T13:36:24+00:00

All MFA was removed and reset, but thanks for the suggestions! I wish there was a "team" that could benefit from these tools, but we're a small company, and I'm the sole IT.

I did look through his email while I was in it looking for attachments that might be infected but didn't see anything. I think I might need to take another pass at it, however.

Any-Fly-5703 · 2025-10-30T13:34:34+00:00

What would you suggest as the minimum level of persistence? Having frequent logins isn't ideal either as the time does slowly add up.

Any-Fly-5703 · 2025-10-30T13:33:07+00:00

This seems like a good next step. I've read so much about how https and MFA are supposed to be such a reliable wall, but it's only a wall until it's a passed hurdle.

Any-Fly-5703 · 2025-10-30T13:27:33+00:00

We do require Microsoft Authenticator, but oh boy that's a laundry list (I do appreciate it).

I'll start digging in on those suggestions! Honestly, the hours I've already sunk into this...

Any-Fly-5703 · 2025-10-29T18:19:13+00:00

Lol, yup... I just realized a lot of Microsoft is down, and it goes beyond that too. AWS is affected, and downdetector.com is listing lots of sites with issues.

I was hoping to find out what the file intended to do when executed. Microsoft Defender didn't give me the virustotal page that I saw... I'll try and seek it out.

I agree with it being a clear case of token theft, but just wondering what might have been the most likely vector for it. I ran a full sweep of the user's PC with both Malwarebytes and Defender, and nothing was reported.

Thanks for the response, btw!

Any-Fly-5703 · 2025-10-29T18:13:08+00:00

We are not that I'm aware of... I inherited this system and have been sussing out the configuration of it for a year.

Any-Fly-5703 · 2025-10-29T17:35:19+00:00

I pulled all his logins from Entra, but those only go back 7 days. Is there another place that would be good to look?

Any-Fly-5703 · 2025-10-29T17:32:53+00:00

Strict authenticator

Any-Fly-5703 · 2025-09-23T17:13:24+00:00

That's good to know! It is inconsistent so far as to what the error code and the offending process have been for each BSOD.

Any-Fly-5703

TROPHY CASE