Weird O365 Compromise

[thecomputerguy]

Non-MSP client compromised, usual thing, token theft.

The weird thing about this one is that they purchased 3 domains through their tenant through M365, using my clients saved payment info then created users, then deleted the users. So the users are now sitting in the deleted users section. (vacalug.net and swuk.org are the other two).



They changed some contact info in azure.

I don't see the point of this here.

When I try to delete the domain out of the tenant I get:

When I go into the billing section for the purchase there is no option to cancel the subscription ... only to disable recurring billing:

What in the world ... they obviously got a hold of the credential's for one of the GA's. This is not a best practice place, they are a landscaping company with 5 people so best practice and ongoing support isn't a thing for them.

 

[Rosco]

Had someone this week, same thing, except the credit card on file had just expired, so a new card, I assume stolen, was loaded and bought 4 or 5 domains with it. Never had seen that before.

 

[Sky-Knight]

The domains are purchased with Godaddy, and their control is available via another Godaddy account.

 

[thecomputerguy]

The domains are purchased with Godaddy, and their control is available via another Godaddy account.

It looks like the registrar is Wild West Domains for all of them:



Why is Microsoft not allowing me to remove them if the registrar is Wild West Domains ....

Did they actually buy them from MS and then immediately transfer them or something? Figured that be impossible since it takes a couple days for that to go through.

There is billing for the domain on the Microsoft bills side though for Domain registration but oddly the only bill is for:

$15.00 vacalug.net

actually

swuk.org and kindred-lcr.net failed payment through Microsoft.

Maybe they cancelled the card in time ... I haven't been able to get ahold of anyone over there yet.

 

[YeOldeStonecat]

You still have GA access? If so....can clean things up, restore your users, and at least remove the (scammers domains) from the legit users, and delete the users the scammers created. Of course thoroughly looking for additional GA accounts, thoroughly looking for registered enterprise apps and deleting them, (a pain in old tenants that have collected lots of garbage...but a must!)...and disconnecting all existing sessions, change all user creds, setup your users, find where the bad guys logged in from that at least block that geo location if outside regular use area, And get a ticket open with GoDaddy just to at least get it documented with them...in case more shenanigans happen down the road in this tenant.

 

[thecomputerguy]

Another weird thing is that the bad actors are still showing having had active successful logins as of today even though they have been deleted from the tenant








No recent enterprise apps within the compromise period.

 

[thecomputerguy]

Also @YeOldeStonecat

I can't remove the domains:



I also have no option to cancel the subscription only turn off auto-renew, this is what I have



I should have THIS

 

[phaZed]

This is what they do to get a foothold via MS Graph:

 

[YeOldeStonecat]

I understand you cannot remove the domains...
BUT...what I was saying, you should be able to remove those domains from the users additional aliases!
Go to user manager...click on properties for a user...you'll see their default domain (default login username)...and you'll usually see by default ALL the other domains that the tenant has connected to it.
So you can have, say, phazed@thecomputerguy dot com for your primary user login. But you can also have phazed@throwawaydomain dot com and fuzzy@thatdomaintoo dot com....under the same user. You should be able to DELETE those additional aliases under each user you restore...so that you only have phazed@thecomputerguy dot com remaining.

Not done under the domains...

But..done under admin panel...users....or if you want, AzureAD admin. Either way.

 

[thecomputerguy]

I understand you cannot remove the domains...
BUT...what I was saying, you should be able to remove those domains from the users additional aliases!
Go to user manager...click on properties for a user...you'll see their default domain (default login username)...and you'll usually see by default ALL the other domains that the tenant has connected to it.
So you can have, say, phazed@thecomputerguy dot com for your primary user login. But you can also have phazed@throwawaydomain dot com and fuzzy@thatdomaintoo dot com....under the same user. You should be able to DELETE those additional aliases under each user you restore...so that you only have phazed@thecomputerguy dot com remaining.

Not done under the domains...

But..done under admin panel...users....or if you want, AzureAD admin. Either way.

Ah I see what you are saying but no additional aliases were setup for any user account.

Obviously it's there as an available alias to use now that it is in Domains but these fraudulent domains were not added as aliases to the primary users.

I didn't check if the fraudulent users got an alias under the primary domain but they have been perma deleted. I don't even think they got mailboxes but I can't check now they are gone gone.

 

[timeshifter]

This is what they do to get a foothold via MS Graph:

Huh?

He created a user and the video ended.