Email hack check

Steps to follow after your office 365 Account has been hacked.

Each email compromise or hacked account is a little bit different and depending on what country your email resides will depend on what level of breech reporting you need to do.

This article has been written for email compromises of Office 365 for business in Australia.

email hack check

So if you find that one day you came into work and 2000 or so emails have been sent by you to all your contacts follow these simple steps to remediate the email breach.

Step 1. Change your password immediately

Your first step after an office 365 email account has been compromised is to change your password immediately.

Log into your office 365 portal by going to portal.office.com 

Then click on your profile in the top right corner and click view account

Then click on password

After clicking on password type in your old password and new one

NOTE: If you have difficulties changing this password then your Global Administrator for Office 365 can change this for you.

Step 2. Identify how emails have been sent

Under Australian law it is important to follow the OAIC guidelines what to do when a breach occurs.

In Australia you need to notify the affected users about the breach. So the second step normal entails identifying when the breach/compromise occurred, from where the breach occurred. This information can be gathered by looking at login history in office 365.

  1. Log into the Office 365 Security and Compliance Center

There a few things we want to look at here but first is to identify what date unusual logings started.

NOTE: The next four steps will only work if you have Auditing turned on. If you don’t have auditing turned on turn it on and for this step you need to run a PowerShell script to extract the login info. Follow this guide here then continue on

2. Go to search then Audit log search

3. Choose the start date (I usually go back a few weeks or months before you noticed the activity)

4.  Choose the End date (This date should be the day you changed the compromised accounts password)

5.  choose the user that got compromised and click search

365 account hack

Step 3. Identify when issue started

Now you have a list of logins you need to look for the first login from unidentified ip addresses. Most likely they will come from a different country.

For example in the case below logins are most common from Brisbane. The first sign of unusual activity was from Chicago this helps deduce the time and date that the compromise first occurred.

office 365 logins

Step 4. Identify what emails have been sent

Now you have the date and time the compromised occurred you need to identify what emails were sent from that point in time onward.

  1. Login to the admin console of office 365
  2. Click on the Admin console

Admin console office 365

3. Then click on exchange admin center

4. Click on Mail flow/message trace

5. Run the message trace from a time period before the compromise took place to the time you changed the password. Then run the message trace on the user that was compromised.

6. Export the message trace to CSV then remove all legitimate emails from the spread sheet only leave non legitimate emails in the spread sheet. You will need to harvest those email addresses that the emails were sent to.

Step 5. Notify user that you sent them an unsolicited email

As discussed on the OAIC website you have an obligation to notify the recipient’s of the email.

The OAIC states that you must provide the following information in your notification

  • your organisation or agency’s name and contact details
  • a description of the data breach
  • the kinds of information involved
  • recommendations about the steps individuals should take in response to the data breach

Here is an example template used to sent to recipients that received the unsolicited emails from your account.

notification of email breeach

Step 7. Turn on 2FA for all accounts in office 365

  1. Log back into the office 365 portal as a global admin
  2. Then click on the Admin portal

3. From there click on Azure Active Directory, Then click All users then multifactor authentication

4. Once in users MFA apply enforce MFA for office 365 MFA office 365

Enforce MFA office 365

Preventing office 365 hacks in the future

There’s an old saying that an ounce of prevention is better than a pound of cure. The same applies to Email security. When we protect office 365 we perform the following steps to secure your organizations data.

  1. Turn on MFA as explained above
  2. Point MX records to a cloud email filtering solution
  3. Turn on advanced Sentinel email security for office 365 to office 365 mailboxes
  4. Setup office 365 mailbox backups
  5. Turn on Auditing and logging in office 365 and use a 3rd party tool to harden your office 365 setup
  6. Setup Security awareness training campaign
  7. Setup DKim and Dmarc records

Use a cloud security appliance to filter emails into and out of office 365

We use Barracuda email filtering for our clients. It blocks allot of the emails before they hit office 365. Also we setup office 365 to only receive emails from the barracuda appliance and all outbound emails go through the appliance. This greatly reduces the amount of illegitimate emails going into and out of office 365.

email filtering for office 365

Use a office 365 mailbox scan tool

When an account in office 365 has been compromised hackers will normally try to cover their tracks by creating outlook rules that delete emails.

Also they will attempt to log into office 365 from an alternate location. With office 365 mailbox scanning software early detection can happen there by minimizing the impact of an account take over. For example our software will notify when it detects an unusual pattern of behavior. EG you suddenly start logging into office 365 from Europe when normally you log in from Australia. Or a hole heap of outlook rules have been created. Or your email account is setup to auto forward to an external email account. If you run a professional services business where you keep allot of confidential data this tool will help secure your network.

Office 365 mailbox scan

Why you need office 365 Backups

Just because your emails and data are in the cloud doesn’t mean they are protected. Microsoft does not have a responsibility to keep your data backed up. Just like running on premises your data needs to be backed up for two main reasons.

  1. In case you get hit by ransomware
  2. In case your staff delete data or critical emails

We use a cloud to cloud backup solution that backs up your office 365 infrastructure with unlimited retention.

Office 365 Backups