So if you find that one day you came into work and 2000 or so emails have been sent by you to all your contacts follow these simple steps to remediate the email breach.
Step 1. Change your password immediately
Your first step after an office 365 email account has been compromised is to change your password immediately.
Log into your office 365 portal by going to portal.office.com
Then click on your profile in the top right corner and click view account
Then click on password
After clicking on password type in your old password and new one
NOTE: If you have difficulties changing this password then your Global Administrator for Office 365 can change this for you.
Step 4. Identify what emails have been sent
Now you have the date and time the compromised occurred you need to identify what emails were sent from that point in time onward.
- Login to the admin console of office 365
- Click on the Admin console
3. Then click on exchange admin center
4. Click on Mail flow/message trace
5. Run the message trace from a time period before the compromise took place to the time you changed the password. Then run the message trace on the user that was compromised.
6. Export the message trace to CSV then remove all legitimate emails from the spread sheet only leave non legitimate emails in the spread sheet. You will need to harvest those email addresses that the emails were sent to.
Step 5. Notify user that you sent them an unsolicited email
As discussed on the OAIC website you have an obligation to notify the recipient’s of the email.
The OAIC states that you must provide the following information in your notification
- your organisation or agency’s name and contact details
- a description of the data breach
- the kinds of information involved
- recommendations about the steps individuals should take in response to the data breach
Here is an example template used to sent to recipients that received the unsolicited emails from your account.
Step 7. Turn on 2FA for all accounts in office 365
- Log back into the office 365 portal as a global admin
- Then click on the Admin portal
3. From there click on Azure Active Directory, Then click All users then multifactor authentication
4. Once in users MFA apply enforce MFA for office 365 MFA office 365
Preventing office 365 hacks in the future
There’s an old saying that an ounce of prevention is better than a pound of cure. The same applies to Email security. When we protect office 365 we perform the following steps to secure your organizations data.
- Turn on MFA as explained above
- Point MX records to a cloud email filtering solution
- Turn on advanced Sentinel email security for office 365 to office 365 mailboxes
- Setup office 365 mailbox backups
- Turn on Auditing and logging in office 365 and use a 3rd party tool to harden your office 365 setup
- Setup Security awareness training campaign
- Setup DKim and Dmarc records
Use a cloud security appliance to filter emails into and out of office 365
We use Barracuda email filtering for our clients. It blocks allot of the emails before they hit office 365. Also we setup office 365 to only receive emails from the barracuda appliance and all outbound emails go through the appliance. This greatly reduces the amount of illegitimate emails going into and out of office 365.
Use a office 365 mailbox scan tool
When an account in office 365 has been compromised hackers will normally try to cover their tracks by creating outlook rules that delete emails.
Also they will attempt to log into office 365 from an alternate location. With office 365 mailbox scanning software early detection can happen there by minimizing the impact of an account take over. For example our software will notify when it detects an unusual pattern of behavior. EG you suddenly start logging into office 365 from Europe when normally you log in from Australia. Or a hole heap of outlook rules have been created. Or your email account is setup to auto forward to an external email account. If you run a professional services business where you keep allot of confidential data this tool will help secure your network.
Why you need office 365 Backups
Just because your emails and data are in the cloud doesn’t mean they are protected. Microsoft does not have a responsibility to keep your data backed up. Just like running on premises your data needs to be backed up for two main reasons.
- In case you get hit by ransomware
- In case your staff delete data or critical emails
We use a cloud to cloud backup solution that backs up your office 365 infrastructure with unlimited retention.