BEC - Compromised Email Steps
Section titled “BEC - Compromised Email Steps”Purpose: The purpose of this KB is to guide any tech in steps to secure a compromised email.
Section titled “Purpose: The purpose of this KB is to guide any tech in steps to secure a compromised email.”Before starting investigation:
Section titled “Before starting investigation:”- Create a Problem ticket in Pzzle to track all time and notes for this issue.
- Assign the Problem ticket to the vITM of the client
- Create a swarm space in MS Teams and include DoO, VP of Technology, CSOC, vITM, vCIO, SD Manager, and anyone else necessary.
- Include the Problem ticket in the title of the Swarm
- Confirm with user the correct cell phone number & make/model of user’s cell phone.
- Confirm their geographical location.
- For example, what country/state are they located in.
- This will help us identify bad actors if their location is outside of where/when the user should be logging in.
NOTE: Include the time in each screenshot.
Section titled “NOTE: Include the time in each screenshot.”- If a malicious email originates from a known contact that the client regularly works with, it is possible that the contact’s account has been compromised. The client should immediately reach out to the contact using a verified, trusted phone number to inform them of the potential security issue.
⚠ DO NOT respond to the suspicious email or attempt to contact them via email.
Section titled “⚠ DO NOT respond to the suspicious email or attempt to contact them via email.”1. Disable Sign-in.
a. Open a browser in incognito mode and navigate to portal.office.com on your computer.
b. Sign in with the admin credentials in PWD State.
c. Go to the admin center.
i. https://admin.microsoft.com
d. Navigate to Users > Active users.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
e. Search for the user name in the top right and then click on the user.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
f. Go to the Account tab and click on “Sign out of all sessions”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
g. On the Account tab click “Block sign in”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
h. Check the “Block this user from Signing in” check box. Then click “Save changes”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
i. Navigate to the Client’s Active Directory by logging into their Domain Controller via ScreenConnect or Ncentral (if applicable).
j. If they do not have a Domain Controller, skip to step 2.
k. Disable Active Directory account for compromised user by right clicking the user and selecting “Disable Account”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
2. Check the MFA details in Azure to make sure that the information there is accurate and has not been altered (this will need to be confirmed with the user). If it was, document it.
a. Navigate to Azure Active Directory from the admin center.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
b. Go to Users > “User Name” > Authentication Methods.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Click “Revoke multifactor authentication sessions”.
d. Take a screenshot of the MFA information.
e. After it is documented, remove ALL MFA methods.
3. Check and make sure no devices were added to Azure by the bad actor under the effected user’s account.
a. Navigate to “Devices” and confirm that only the user’s devices or no devices are listed. Document your findings.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
4. Confirm that Enterprise applications were not added by the bad actor.
a. Navigate to the Entra admin center.
b. Navigate to the Applications area > Enterprise Applications.
c. Sort the “Date” column and see if any new Enterprise Applications were added.
**<!— image: A computer screen with a screen showing a website
AI-generated content may be incorrect. (legacy) —>**
5. Check audit log in Azure to see when/where the bad actor was signing in from.
a. In Azure Active Directory, navigate to Users > “User name” > Sign-in logs.
b. You can look at a month worth of sign-in logs by clicking on the date filter.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Click “Download” and download the file as a CSV.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
d. Open the file and convert the data into a table.
e. Highlight the data > insert > table.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
f. Look at the “Location” column and “Status” column to see if there were any sign-ins that were not the user. You can use the drop downs to filter if needed.
g. Any sign ins that were not the user, take a screenshot of information with the date & timestamp.
6. Perform an AV scan on the endpoint with the client’s AV solution.
a. This example will show how to perform a full scan via Intune.
b. Go to the Client’s 365 Admin Center > Endpoint Manager > Devices > All Devices > put the computer name in the search bar and select it and select “Full Scan”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Once complete, export results/take screenshot of the scan for audit purposes.
7. Check OWA rules to make sure none were created by bad actor.
a. You will need to delegate access to the user’s mailbox.
b. Navigate to the Exchange Admin Center.
**<!— image: A screen shot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Browse to the user’s mailbox and give our licensed admin account Full Access via delegation.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
d. Open OWA with the admin account and click on the profile picture in the top right > Open another mailbox. Put in the user’s email and Open it.
**<!— image: A screen shot of a computer
AI-generated content may be incorrect. (legacy) —>**
e. Once in the user’s OWA mailbox, click on the settings gear icon in the top right > mail > Rules. Check to see if there are any suspicious rules created.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
f. If there are suspicious rules, take screenshots with the time stamp and then remove the rule.
8. Run a content search to delete any malicious emails sent to the organization.
a. Navigate to Exchange Admin Center.
b. Go to Mail Flow > Message Trace:
i. Click Start Trace.
ii. Put the malicious email sender in the “senders” field.
iii. Select the time frame that includes when the emails are sent.
c. You will use these results to compare to your content search performed in the later steps.
d. Navigate to the M365 Compliance Admin Center via the admin center. You can also browse to it by URL: https://purview.microsoft.com/
**<!— image: A screen shot of a computer
AI-generated content may be incorrect. (legacy) —>**
e. Navigate to Solutions > eDiscovery > Classic eDiscovery > Content Search.
f. Within the Content Search pane, select New Search:
i. Give the search a name and a description and click next.
ii. Select exchange mailboxes and select next.
iii. Select Add condition and add the timeframe the email was sent and add the sender if the malicious email.
iv. If the sender has sent legitimate emails within the timeframe please add the subject condition and add the subject of the malicious email to it. Select next.
v. Review your search settings and select submit.
g. In the Content Search Pane find the search you just created and click on it:
i. In the flyout, click Review Sample.
ii. Once the samples load, confirm the samples only contain the malicious email.
h. Delete the malicious email via PowerShell:
i. Launch PowerShell and connect to MS Purview.
ii. Connect-ippssession.
iii. New-ComplianceSearchAction -SearchName “BEC Content Search Name” -Purge -PurgeType SoftDelete.
i. Notify the swarm that this action has been completed.
9. Reset the User’s password.
a. In the Microsoft 365 admin center go to Active Users and search for affected User.
b. Click on the user and click on “Reset Password”.
c. Reset the password to something the user wants but make sure it is complex. Click on Reset password when done.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
d. Enable the user account in Active Directory on the Client’s Domain Controller.
e. Reset the Active Directory password to the same password you set their 365 password to.
10. Check local Outlook rules.
a. Now that you reset the user credentials, have them sign into their Outlook app on their computer.
b. Right click an email and navigate to Rules > Manage Rules & Alerts…
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Look and make sure there are no email rules. If there are rules, make sure they are legitimate by checking with the user and look at what the rules are doing.
d. Check all the rules in case a bad actor altered a known good rule.
**. <!— image: A screenshot of a computer screen
AI-generated content may be incorrect. (legacy) —>**
e. Document your findings.
11. Forward any email that was received or sent by the bad actor as an attachment to yourself or admin in 365 (if admin account is licensed) and attach it to the problem ticket.
a. Double click on the email and click on the dots in the upper right.
b. Click on “forward as attachment”.
**<!— image: A screenshot of a computer
AI-generated content may be incorrect. (legacy) —>**
c. Email yourself the attachment and put it in the ticket and the swarm you are in.
d. If you are unable to forward the email to yourself, you can access the email in OWA via delegated mailbox access and download the email that way.
12. Block bad actor’s email in 365.
a. Navigate to the 365 admin center and click on Exchange.
b. Go to Mail flow > Rules.
c. See if there is already a rule to block emails by sender.
i. If there is, add the bad actor’s email address to it.
ii. If there is not a rule, proceed to next steps to create a rule.
d. Go to Mail flow > Rules > and select “Add a rule” > Create new rule.
e. Name the Rule “Block by email”.
f. Apply this rule if*: Sender.
i. (is this person)
ii. Type the bad actor’s email address and select save
g. Under “Do the following*”: Block the message
i. (Delete the message without notifying anyone)
h. Select next and save.
i. You will need to activate the rule after creating it.
j. Select the rule and toggle and toggle “Enabled” in the fly out pane:
i. Leave this pane open until the rule shows enabled in the Rules pane
ii. You can change the priority of the rule if needed
13. Discuss with vITM and vCIO on enabling MFA and Geofencing (if not configured).
a. If MFA needs to be setup, consult with the vITM and vCIO.
b. If Geofencing needs to be setup, consult with the vITM and vCIO but the how-to can be found in this article. Block Users by Location in Azure/O365 - CloudCompanyApps
14. Put all the relevant data for this issue into the ticket. This will include email attachment and screenshots.