It’s a recurring nightmare for any SysAdmin – the fear that one of your accounts has been compromised and is being used to send malicious emails or harvest company data. Sometimes attackers can be in an account for months before it’s detected.
Attackers can gain access to accounts a number of ways, but the most common would be phishing emails. The user clicks the link, enters their password thinking Microsoft is prompting them, and that’s the game right there. Except you’ve enabled multi-factor authentication on your accounts, right? RIGHT?
MFA will make it massively more difficult for attackers to get in, but not impossible. By default, Microsoft sets users up with a prompt from the authenticator app, a simple allow or deny for the login.
But users are busy people aren’t they? At least, that’s what they always tell me. So they don’t really pay attention, and are so used to clicking approve that if it pops up they don’t even think.
For our high value users, we have switched them over to One Time Passcodes (see this post for more info). This means that they need to open the authenticator app, and type the number that is shown into the device they are trying to login to. They can’t accidently click approve. It’s not as straightforward, but it is more secure.
So how can you tell if an account has been hacked? These are the three key indicators that I check for.
Suspicious Login Activity
The first place to check is the login history for an account. Attackers will use VPNs to mask their true location, but it is still possible to see if the account has logged in from unusual locations. Think about what is normal for a user – obviously the company network external IP addresses will feature heavily, and probably a home network IP as well. If they’ve logged in to emails from their phone then that will show as well. But have they been to Singapore and logged in from there? Or America? Russia? All in the same day? It would be unlikely. So if you see an account that is logging in from diverse locations that don’t match the user’s standard behaviour, then be suspicious…
Another to look for is lots of failed logins. This may indicate someone trying to breach an account when they don’t have the password, or trying to breach the account when they do, but are failing on the multi-factor authentication prompt. If that’s the case, then it might only be a matter of time before they gain access.
Azure also shows the type of device used to sign in. If your organisation only uses Windows devices, then a login from a Mac should stand out as odd, particularly if that user doesn’t usually login from a Mac. Sure, they might have bought themselves a present, but you should probably check.
Once an attacker has gained access to a mailbox, they want to keep access, which means that whatever they’re up to they need to hide it from the account owner. This way, the attacker can be sending and receiving emails without the owner ever even seeing them.
To do this, they create mailbox rules that automatically move any mails matching certain conditions to a folder and remove it from the inbox. The folder will be called something innocuous. I’ve seen RSS Feeds used, or just a single period. Users will see something like that and assume it is a system generated label, of no interest to them. They’ll never look.
So when you’re assessing to see if an account has been compromised, look for mailbox rules that are designed to hide activity.
Now, this requires you accessing the mailbox and checking the rules yourself. But what if you could be notified the instant a suspicious rule is create? With Microsoft Cloud App Security – you can!
- Visit the Office 365 Cloud App Security Portal
- Select Control, then Policies
- Find the ‘Suspicious inbox manipulation rule’ policy
- Set the scope to all users and groups, and check ‘Send alert as email.’ Probably best to include another admin or helpdesk email address in here as well as your own.
- You can select Governance actions to perform when the policy is triggered. I have it set to automatically suspend the user.
- Click ‘Update’.
So now, if a mailbox rule is created that Microsoft rule as suspicious, the account will automatically be knocked out, and an alert generated.
Additional Multi-Factor Authentication Methods
If a user clicked approve to a notification prompt and let an attacker in, that’s great (for the attacker). But they can’t rely on the user approving every sign in they want to make. Eventually they’d get suspicious (you’d hope). So the attacker needs to configure a way for them to login without the user needing to approve it – such as register their own MFA method.
As an admin in Azure, you can see which methods a user has registered. Now, you might not know if the number that is there is actually the user’s phone number, but if it starts with the right country code and there’s only one number registered, that might be ok. If there is more than one number, well, something might be off.
So, add up all three indicators and what have you got? Account logins from multiple countries, inbox rules designed to hide emails from the user and additional multi-factor authentication methods that you don’t recognise?
You should probably disable that account.
Leave a Reply