Office 365 – Malicious actors using your account to scam your contacts

Credit: ID 123601007 © Olena Ostapenko |

Office 365 is a name that is widely known and is the preferred email hosting platform for many organisations in Australia (unless you're a Google fan. It is like the age-old Ford and Holden rivalry – I am in the Ford camp here.). All rivalry aside, both platforms have their ups and downs. It just comes down to which one works better for you and your business. I personally like the office 365 platform  as most SMB’s get a really good quality system at a price that is very reasonable plus it works with no real changes to how they used to use it with the old in-house servers they would have nearly all had before. It  makes sense to them which is great, but this isn’t a sales pitch for office 365, no this is to tell you how it really is and set some things straight with no stupid jargon that is just used to confuse people.

So, let’s put together a scenario here of an incident that I have seen on at least ten different occasions over the last six months. We get a call from an organisation who is hosted on office 365 with emails, software etc as is pretty normal. They have staff located across several locations or a mobile workforce and they all connect into the office 365 for emails and possibly some sort of data sharing.

They have probably been on the platform for 12 months or more and it has been working well for them. Sounds like most normal organisations on 365 or google hosting, Right? Yeah, it does. Now we received a call because one of the staff has been getting strange bounce backs in emails for emails that they have not even sent in the first place. Alarm bells are starting to ring, this sounds like an email account compromise.

First things first, reset the password immediately. Just to be on the safe side. Doesn’t matter if it turns out to be something else that is the cause, it is safer to reset it and cut access to the account if it is, in fact, a breached account. Export all the logs for review at a later point and then check the rules in office 365 web portal for that user, I bet you in most cases that you will find a rule redirecting emails with “invoice” or “payment” or “account” in the subject into deleted items, RSS feeds or a random folder created hidden down under folders you already have configured.

The malicious actor will be looking over all these emails, changing the details and then putting them back in your inbox as nothing had happened. They will change account details and invoice amounts just for starters. The malicious actors will then usually move onto sending sometimes crude and vulgar emails to all of your contacts or some sort of scam to get you to open an infected document or change account details for payments.

These contacts know who you are and have dealt with you before. They are not suspicious of your email when it comes through so will most likely click on whatever is sent through. It just takes that one click and the malicious actor has another victim. These emails are less likely to be picked up by email protections as they are form legitimate users who have no record or history of email abuse leaving this scenario to continue to move from victim to victim.

I have honestly seen this time and time again over the last six months. The problem is certainly getting worse and some awareness of this technique needs to be generated so that we can slow down the flood of victims. One simple change that is really very easily configured can make such a large difference in keeping your office 365 account secure and in turn all of your unsuspecting victims. TURN ON TWO-FACTOR AUTHENTIFICATION. It is pretty simple and is turned on in the admin portal for the companies 365 account. It is just an option that is turned on by a tick box, nothing scary at all. Once that is done each user just logs into their office 365 account and will be prompted to set up the two-factor authentication. 

They will have some options with using an authenticator app or text message via mobile. I recommend using the authenticator app over the text option (some prefer the text option as it is simpler and doesn't require another app being installed on your phone) as this will remove the number porting method to bypass this two factor method (you will be surprised how easy it is to get a number ported these days – even though it isn't meant to be that easy). This method would basically take ownership of your number and send text verification to your number now in their control.

If the authenticator app is used the malicious actor needs to have your device and be able to unlock it before the authentication can occur. Yes, it is still possible to achieve this, but the risks are greatly reduced to the owner of the account in this scenario. The idea is to try and make it so hard to get access to your account that it just irritates the malicious actor enough to just say it isn’t worth it and then move on to the next target. It truly is that simple.

So, do yourself a favour turn 2FA on in office 365, if you suspect something suspicious is happening with your account reset your password and either investigate it further or find someone that can help you find what is happening.

Simple directions but very effective. 

Tags cyber criminalscyberattacksmalicious attacksmalicious emails

Show Comments