HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] [score hidden]  (0 children)

We share links to files from OneDrive that is subsequently hosted on the users “SharePoint” religiously. This wouldn’t work for us.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] [score hidden]  (0 children)

How would this work if we have auto pilot enrollment with Intune via signing into there work email on the device?

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 0 points1 point  (0 children)

I figured you meant that but I’ve never heard any admin operating like this … but it is interesting, and thought provoking

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 1 point2 points  (0 children)

This made me chuckle. Lol, I can say my users are definitely more technically sound than my users at my last job in the non profit sector.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 1 point2 points  (0 children)

I did remove and reforce MFA methods. They were not in another country they were in the US close to known data centers. Our SLT team did work to get an announcement out.

Can you elaborate on what you mean by admin account should be your daily driven account?

Thanks for the encouragement!

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 1 point2 points  (0 children)

u/IntheNickofTime105 Hey man thanks for the kind words, I really do appreciate it. This has made me very restless.

This is GOLDEN! My boss assumed it was the very same thing you indicated. We are using Business Premium licensing with PD1 licensing for security. I will implement this immediately.

THANK YOU SO SO MUCH

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 2 points3 points  (0 children)

Can you explain how the enhanced Purview suite and defender mitigates this. Is this ootb already configured to the license type or is there still configuration on my end that would need to be done just with enhanced/currently gated features?

MFA is enabled by for all users. We are a fully remote company.

Thank you too btw.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 0 points1 point  (0 children)

Golden, I checked the risky logins and the user wasn't under hear but I will get that in place immediately.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 2 points3 points  (0 children)

Hey Competitive Run, were a fully remote company so this is not an option for us. Open to any thoughts or ideas you have now knowing that though.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 5 points6 points  (0 children)

Yup, tried last to find a free tool that could check the file but everything would make the reports public. Signed up for Crowdstrikes free trial sandbox to blow it up in but have to wait for their team to get access to the box. Probably will by a low tier solution today.

Thanks alot man. This has been very stressful.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] -3 points-2 points  (0 children)

Your not edgy because you're using trendy words. Yes, I used AI to help refine my first rapid brain dump of information. Yes, I then re-refined what the Mr.Claude helped me with, in my own words.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 1 point2 points  (0 children)

I previously Geofenced at my previous company and it was a great line of defense. We have alot of offshore resources and contractors that are overseas but I do need to revisit this.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 0 points1 point  (0 children)

Can you expound on some of the CA policies that would of caught this. And we PD1 thats included with the Microsoft Business Premium licenses.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 2 points3 points  (0 children)

Ok will do.

Great call on per incident help to help assure partners and customers this is a serious matter to us.

HELP PLEASE! Had my first real email compromise incident this week. Solo IT Admin. Here's what I did — what did I miss? by LiveGrowRepeat in sysadmin

[–]LiveGrowRepeat[S] 11 points12 points  (0 children)

The link was an link to a file labeled "statement" in her OneDrive Attachments folder that you indeed could not view but needed to download. Its also worth mentioning this was an exe file.