Weird hack I can't figure out

callthatgirl

callthatgirl

Well-Known Member
Vendor
Reaction score
2,618
Location
Rochester MN
Client I setup last month with 365, security setup, all fine. Last Friday, her account started sending out a message about an e-services alert filing with html attachment.
She started hearing from people, who she didn't know, the usual. She has only 1 contact in her Exchange. I got the alert too after I looked, again I'm not in her database.

Today when I helped her, I found a lot of weird things going on. She did have a rule on for these e-service bounces to go to RSS, so I told her she was hacked. She swore up and down she never gave out her password. I can't find the original sent email anywhere nor in deleted.

Her admin center shows the hackers all over the world, so I told her she did get hacked somehow. Did all I could to stop that but we are now wondering if she didn't give it out, how did they get i and bypass the MFA?

In her devices we found her old Samsung tablet, that she never setup the new email on. But yet, there it was. I told her that I think her Gmail account with her 3 devices got compromised somehow. I read about something like this on Technibble last month, they are bypassing the text code and MFA somehow.

Any ideas?
 
You're recalling the recent topic Gmail hacked (again) from a bit over a week ago.

That would be my only theory if Google is actually doing what was stated. But I can't understand why one would not receive a warning email from Gmail that such has been done. I get notices from Gmail any time I log in to an account on a machine I've not previously used.
 
She didn't have any security on in Gmail, so I set it up for her.

I don't think we will figure it out but I remembered that post when I was helping her.

thanks for the link!
 
Yep, all she had to do was visit the wrong link and it would look act and smell like M365 because it was, and as soon as she logged in BOOOM her account wasn't hers anymore.
 
phaZed said:
It's shockingly easy once you have the "infrastructure" to steal cookies.

Click to expand...
Good video. Although I didn't really like the presenters attitude. He was all too giddy about how phishing was an art and fun and cool. He didn't seem at all concerned that a bunch of wannabe script kiddies are going to use his video for nefarious purposes.
 
timeshifter said:
Good video. Although I didn't really like the presenters attitude. He was all too giddy about how phishing was an art and fun and cool. He didn't seem at all concerned that a bunch of wannabe script kiddies are going to use his video for nefarious purposes.
Click to expand...
You say these things like it makes a difference. We have entire economies built on these action, there is no influencing it like this.

If anything, he's showing how everyone on this board should be jacking up their rates. After all, you can make more being dishonest than you can being honest, and if the market doesn't want to pay for security then you can extract it for its insecurity. It's easier, and vastly more lucrative... And worse... there are zero consequences in most cases.
 
Sky-Knight said:
You say these things like it makes a difference. We have entire economies built on these action, there is no influencing it like this.
Click to expand...

Exactly - and this isn't new, either! I had an FBI cyber guy as a residential client a dozen years ago at least - he invited me and a half-dozen friends in IT to a presentation they were giving where they detailed how entire towns in Romania were supported by the malware industry. It was stupefying to learn how big the "bad guy world" was, and that was a long time ago! That, combined with the near-impossibility of justice because of the number of international borders between the bad actors and the victims made for an infuriating experience.

I suppose you could disable hyperlinks altogether in Outlook with a group policy, but those determined users would just copy and paste the phishing link then. I've always said it was a cat & mouse game between the good guys and the bad guys, but I think a more-realistic description is way more lopsided - and the good guys aren't winning.
 
HCHTech said:
I've always said it was a cat & mouse game between the good guys and the bad guys
Click to expand...
As have I.

And the biggest reason that the bad guys win is PEBKAC.

One of the axioms to the Peter Principle I once read, and have always firmly believed: It is impossible to make anything foolproof because fools are just too darned ingenious!

[Smart and ingenious when determined are not one and the same.]

That's one of the reasons I still firmly believe that those who believe there is any way to technologically "armor ourselves" against hacking are deluded. In the end, the issue almost always comes down to a user doing something that they shouldn't do, and should have known they shouldn't do, and regretting it almost before "the click button" has been released. A moment's thought before that click would probably solve way more than 95% of everything. But we're talking people here, so that's never gonna happen, and it's what scammers/hackers rely upon.
 
nlinecomputers said:
This exploit uses the zip domains that I posted on before.
Click to expand...

I remember that post, at least somewhat. I also seem to recall saying that all phishing relies on social engineering, which it does, and while these domains make "ease of social engineering" simpler, if end users follow the rule, always, that if it's something trying to direct you to click through to an existing account/service - don't. Go to that account/service website, by hand, and if the link was legit you can be sure the same will be in your Messages function on that account/site.

The example that was given at the beginning of that video made me scratch my head at how anyone in a business setting would believe that Microsoft would be asking them to update OneDrive (as this sounded, to me, like it was in "a large organization"). That's always the IT department's job in that setting, and for anyone who doesn't have an IT department, I drill them early on about never using click-through links at all for "sensitive" activities even if the message seems to be 100% legitimate. You always log in to the account yourself, after having manually navigated to the site that appears to have sent the message.

We're never going to get away from social engineering, period. But "the general population" of computer users can wise up to a much greater extent than they have, and they need to.

Someone else here once proposed a "three strikes you're out" kind of thing for employees that fall for phishing more than once. I firmly believe in that because the old saw, "Fool me once, shame on you; Fool me twice, shame on me," applies as should, "Once burned, twice shy."
 
britechguy said:
if end users follow the rule, always, that if it's something trying to direct you to click through to an existing account/service - don't. Go to that account/service website, by hand, and if the link was legit you can be sure the same will be in your Messages function on that account/site.
Click to expand...
Here here.
 
phaZed said:
Here here.
Click to expand...

It really comes down to personal and/or professional responsibility based on well-known (as in it's been going on for decades now) prevailing conditions.

In most large organizations "never click through" is a part of your basic training. I know, all to well, that humans are the weakest link in the security chain, but they are also the first line of defense, and it's only by strengthening that link, and having consequences for employees that consistently ignore direction, that has any chance of fixing it.

The technological armoring, including all that's documented in the previously referenced video, actually makes it more difficult for your average user to even realize they have been compromised. That is not doing a darned thing to enhance security, in fact, it degrades it. And if that video does not prove, again, that there is no technological armor that can't be pierced by those who want to, nothing will. And when the piercing is sufficiently masked that the person that allowed the breach doesn't even know it, that makes matters much, much worse.

Human factors matter far more than the technological ones, when it comes right down to it. Most of this s**t is invited in the front door through direct user action when falling for any one of many "not new" social engineering tricks.
 
timeshifter said:
How about you just don’t provide the users with the password and MFA app for their 365?
Click to expand...

I'm sorry sir, but...

You just told me you do not understand the problem, without telling me you don't understand the problem. I can't take the chance this might be a joke, and if the misunderstanding is real... We need to fix that!

There are only three mechanisms to avoid authorization cookie theft available for M365 users right now. (This actually applies to any online resource, but GSuite / M365 are the larger targets)

1.) Conditional Access policy that limits access to M365 services to only "compliant" devices. This means Entra ID AND Intune JOINED devices.

This access pathway disables BYOD. It means corporate owned devices only, just like the days of AD on premise. It's very secure, but few especially SMBs will go for this solution.

2.) Conditional Access policy with Authentication Strength policy enforcing the use of a FIDO2 key for login.

This access pathway still generates an authorization token that can be stolen, but it cannot be decrypted because the FIDO2 signature isn't present.

SMBs can do the FIDO2 key thing pretty easily, but I've had issues due to some cell phones lacking NFC technology to make them convenient to use, not to mention them getting lost, broken or otherwise rendered inoperable.

Then we fall back to protection number 3... one that I offer to most of my current customers and one that isn't generally available here on this board.

3.) 24/7 live monitoring by an active SOC with Azure Sentinel configured in specific ways to ensure anomalous logins are caught and terminated on the fly.

Use of Phone Signon doesn't help anymore because the login to the M365 environment is the live M365 environment, the user will authenticate via their phone and the authorization cookie that's passed back to the browser logging in will be just as stolen. Phone Sign on does NOTHING here. MFA does NOTHING here. If you can get the user to click on the wrong link to hit your proxy, you can get whatever you want after they login, and they can login with any valid authentication process available.

This isn't like the junk we used to see... The bad site isn't just a form that looks like M365, it *is* M365.
 
timeshifter said:
One of us needs to rewatch the video that sparked this discussion. The URL in the video I watched appeared to have a URL of .zip.
Click to expand...
URL of .zip changes nothing in this conversation, other than provide an additional potential threat vector of OS shells misinterpreting a MIME type.
 
You must log in or register to reply here.

Similar threads

Rosco
[SOLVED] weird outlook calendar issue
2
Replies
21
Views
729
britechguy
britechguy
thecomputerguy
Never a dull moment. (story time)
Replies
18
Views
700
britechguy
britechguy
britechguy
Email for a "soon to be dead" account
Replies
17
Views
820
britechguy
britechguy
thecomputerguy
New clients MFA is all out of whack and not sure how to fix it.
2 3
Replies
50
Views
2K
HCHTech
HCHTech
Metanis
[TIP] A "new" Microsoft Defender is showing up on my home PCs
Replies
5
Views
716
britechguy
britechguy
Back
Top