Mail fraud with Outlook implication

[callthatgirl]

Looks like they are on 365, so log into the Outlook account and go to the settings, follow my instructions above.

Larry, I have a great onboarding list you can have if you message me. I do this for almost all my clients so I know everything before I determine how to fix a problem.

 

[nlinecomputers]

Responding to a Compromised Email Account - Microsoft Defender for Office 365

Learn how to recognize and respond to a compromised email account using tools available in Microsoft 365.

docs.microsoft.com

 

[nlinecomputers]

How to fix a compromised (hacked) Microsoft Office 365 account - Databáze řešení - Pen Publishing Interactive, Inc.

 

[Sky-Knight]

Not this time, based oon the header of the sample I received.


Agreed. Maybe we should go back to faxing, like the medical system here. LOL


I'll have to verify that they have 2FA but I think so.

If they have MFA and were compromised on this level, then the machine of the user has malware on it that's forwarding session cookies.

That's nuke and pave territory. EVERY SINGLE DEVICE that person owns, must be nuked and paved. If it runs Android or iOS it needs replacement, factory reset isn't good enough.

What NLine posted is what you do on the M365 side to contain the impacted account. But if you reset passwords and rebuild auth tokens you're right back to square 1 if a trusted machine has malware on it.

 

[nlinecomputers]

Larry has been sending me headers. Looks like this is a misspelled domain name. All the legit stuff is based in Canada. The fake is using O365 based in the USA. Very targeted spearphishing campaign here.

Edit nevermind. It is a hacked account.

 

[Larry Sabo]

Larry, I have a great onboarding list you can have if you message me. I do this for almost all my clients so I know everything before I determine how to fix a problem.

Thanks Lisa. PM sent.

 

[Sky-Knight]

It's at this point that I point out that if M365 is being bought via Godaddy, Godaddy is the reseller of record... and as such Godaddy and its federated authentication system has God level access to the M365 tenant in question.

In other words... if a Godaddy account gets hacked, every Godaddy M365 tenant can get hacked too.

This is why Microsoft REQUIRES MFA for Partner admin accounts, and now demands that all partner tenants have security defaults enabled at least.

 

[Markverhyden]

@larry since it's some flavor of M365 the customer will have a record of logins and login attempts. Used that many times. But it will vary based upon which sub they are using. In many cases you can go to myaccount.microsoft.com, login with their creds. This should work for most small groups.