How do I find an email that was sent via token theft?

[thecomputerguy]

Clients called ... said their client was sent an email with ACH information for a large amount of money.

I login to the email account via delegation and see rules setup so I know the account is compromised.

Weirdly ... there are no bad sign ins for this account in Azure.

I can identify the email that was sent from the compromised account via message trace but I can't see the email in the users sent box.

How do I find this email?

I see it send in the mail flow but I can't find it anywhere.

The rule was set to mark the message as read from the afflicted sender and move it to the archive folder but it's also no there.

 

[callthatgirl]

Did you check the RSS folder? Or another folder they created to hide the sent mail? View in Outlook Classic and change to folder view, could be deep in the deleted folders, or under another one.

 

[callthatgirl]

I would look for another archive folder in the folders view. Sounds like they made one.

 

[YeOldeStonecat]

Token Theft will still be viewable in sign in logs in Entra ID.....wording such as "MFA Satisfied by claim in token"....
And without higher level subscriptions, the tenant doesn't have the tools to combat those to begin with.

EMails sent by the bad actor are usually hard deleted, traces removed, only the amateur ones leave their tracks in the sent items folder.

Also they'll often follow up immediately with adding another MFA method (so they can get back in, because their stolen token has an expiration date)......and you may also find new enterprise apps added, or...permissions altered on existing enterprise apps. It's quite time consuming to browse enterprise apps to try to vet them yourself....and it's flat out brutally time consuming to examine existing enterprise apps for permission additions....so 3rd party 365 management/monitoring services become really necessary for anyone in this industry.

 

[HCHTech]

I login to the email account via delegation

Do you have a licensed account on the client's tenant? I didn't think this was possible as an non-licensed admin.

 

[britechguy]

I didn't think this was possible as an non-licensed admin.

It will be interesting to see what this assertion brings in responses. It was my understanding, and that could be incorrect, that much as "a rose is a rose is a rose," that "a GA is a GA is a GA," as far as access to anything in the tenant is concerned.

 

[HCHTech]

It will be interesting to see what this assertion brings in responses

That's why I asked. You can give yourself read/manage access, but then what? An unlicensed admin account doesnt' have mail. Do you then get to login to OWA like a normal user? I've always just accessed the user's computer directly to investigate stuff like this in Outlook - and sign into OWA from there with a temporary access pass. I might be missing something obvious, but this won't be the first time.

 

[britechguy]

An unlicensed admin account doesnt' have mail.

But they can dig into the email repositiory of anyone in the tenant, can't they? This kind of research isn't about being able to send/receive email messages, but to be able to dig through those already "in storage" for any given user in the tenant.

I'll add that I, too, could be entirely wrong. That's why I'm really interested to hear responses from those doing this sort of work routinely. I have only one tenant I have access to and have never had to do this precise sort of digging (and even though I could do it "for fun" it's not fun for me, so I'm not going to play around just to satisfy my own curiosity. Too much potential for me to have an accident of some kind).

 

[HCHTech]

I do message traces frequently from the EAC, but that is different than direct access to the users mailbox. I'm getting conflicting results when searching the topic. At least one reference says you can login to OWA with an unlicenses admin provided they have read/manage rights, but other references say unlicensed accounts (admin or not) cannot access email. I suppose a test is in order to clarify, but it's my day off, so that's a task for future me.

 

[thecomputerguy]

Do you have a licensed account on the client's tenant? I didn't think this was possible as an non-licensed admin.

Yes I license myself on all my client tenants, as far as I know if you can't OWA you can't access another mailbox.

 

[britechguy]

I know if you can't OWA you can't access another mailbox.

If this is true, and I am not saying that it isn't, then there is definitely such a thing as "second class GA." The term Global Admin should mean exactly what it says, licensed or unlicensed, in terms of tenant management. Digging through email of others in the tenant should be a part of the GA role, period, end of sentence. If it isn't, then Microsoft should be made aware of the displeasure of those who routinely set themselves up as unlicensed GAs in M365 tenants because there should be no reason to do otherwise if GA means GA.

 

[HCHTech]

Yes I license myself on all my client tenants

Yeah, i do not license myself on all my clients' tenants. I haven't found any reason to do this and have them incur the ensuing expense. Well, at least not now I understand - haha.

Edit: Words, always words.

 

[britechguy]

@HCHTech, a Perplexity.ai Search using, Does an unlicensed Global Administrator (GA) in an M365 Tenant have the same access to email data as a licensed GA has?, tells all.

There is a "second class GA." More's the pity. I still wouldn't license myself as a matter of routine. It would be a selective choice.

 

[YeOldeStonecat]

Message Tracking Center will show what was sent..and not be covered up by "delete" rules setup in outlook by the bad actors.

 

[John Kennedy]

Message Tracking Center will show what was sent..and not be covered up by "delete" rules setup in outlook by the bad actors.

This. Second-class GA can do a lot without a license. You just have to use stuff like message trace and search. Message trace cannot be deleted by a bad actor.