Office 365 hackers detected

We consider a company very lucky this week after a close call with a Nigerian threat actor. We received a call from a company we won’t name in this story. They have approximately 100 staff, working with clients around the world in over 40 countries. They came to us with email server issues, Microsoft had given them notice that there had been a security issue detected on their server, and outgoing emails were to be blocked. The company tried unsuccessfully to contact Microsoft and have them return the system to normal working order. Once the block was removed, the system would soon return the block when further malicious activity was detected.

We started by looking into server logs, and we noticed quickly that an unwanted visitor had been in the system. The following logs shows an account was being accessed from Lagos in Nigeria.

Not only that, the account was a Global Administrator, so we had to quickly remove the hackers, and also ensure the system hadn’t been compromised further. Immediately we instated multifactor authentication and changed the password on the account. There were some authentication methods listed with the account already, so we removed them in case this gave the hacker access again when the password was changed.

Further to that we analysed audit logs to see what kind of administration tasks may have been performed by the hackers. Luckily there weren’t any showing in logs, the hacker must not have known the power they had with this account and simply used it for further phishing and malware propagation. The extensive spam and phishing emails had set off Microsoft’s alarm bells.

Continuous monitoring over the following weeks showed the hackers had attempted access again without success. Wow, they were very lucky.

Concerned by a cyber event? Contact us for help.