Got a call from a customer who I have not heard from in several years. They are a franchise, so I'm assuming that the corporate mail servers are Exchange, but I will find out.
In December, my customer started getting emails from their customers asking the why they (their customers) were being sent old emails for invoices that had already been paid. Then a couple of their customers said they received an email with an attachment that was identified as malware. At this point one of their employees purchased MacAfee for all their machines and installed and ran it. They still had problems, and their "new" IT guy was non-responsive so they called me.
They forwarded me a couple of sample emails, and from what I can tell, someone has been able to access their Outlook account and view old emails and then send them to the original customer, but with a spoofed "from" address. I have not been able to access their machines yet (covid stuff) to see what if any malware MacAfee found so I don't know if this was the result of a malware infection. The other possibility is that a current or former employee accessed their email and exfiltrated emails and contacts. At this point, they claim to have reset everyone's email password including former employees. But, they are still getting feedback from their customers that this is still happening.
So, (finally) my question: what, if anything can I assist them with in this situation? I will be examining all of their machines and running Malwarebytes (I'm not a big fan of MacAfee) and AdwCleaner to see if there is any spyware. But if the data is already exfiltrated, all I can think of is that they will have to send email to all of their customers with a warning to check the "from" address on any suspicious email.
Any suggestions are greatly appreciated.
Harry Z
In December, my customer started getting emails from their customers asking the why they (their customers) were being sent old emails for invoices that had already been paid. Then a couple of their customers said they received an email with an attachment that was identified as malware. At this point one of their employees purchased MacAfee for all their machines and installed and ran it. They still had problems, and their "new" IT guy was non-responsive so they called me.
They forwarded me a couple of sample emails, and from what I can tell, someone has been able to access their Outlook account and view old emails and then send them to the original customer, but with a spoofed "from" address. I have not been able to access their machines yet (covid stuff) to see what if any malware MacAfee found so I don't know if this was the result of a malware infection. The other possibility is that a current or former employee accessed their email and exfiltrated emails and contacts. At this point, they claim to have reset everyone's email password including former employees. But, they are still getting feedback from their customers that this is still happening.
So, (finally) my question: what, if anything can I assist them with in this situation? I will be examining all of their machines and running Malwarebytes (I'm not a big fan of MacAfee) and AdwCleaner to see if there is any spyware. But if the data is already exfiltrated, all I can think of is that they will have to send email to all of their customers with a warning to check the "from" address on any suspicious email.
Any suggestions are greatly appreciated.
Harry Z
