Office365 , Outlook compromized accounts origin

[DimitriP]

Can't find out how it takes place. It is via a script on a webpage on an email on the users machine, going to  the wtrong website, or using abc as a password or ... ?


 https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/

[rrinker]

 Any or all of the above. An account can be compromised in many ways. Insecure password, phishing, man in the middle - there are seemingly limitless ways in which these scum can gain access.

 And yes, they are scum lower than the slime on a stagnant pond. Yes, people should practice good security measures, but every time you beef up security, these scum double down and work at even more nefarious ways to compromise your account - even when there's nothing to steal and no profit to be made - just for bragging rights.

[PA0PBZ]

I see these every day

 - X@Y sent you some files, click here to get your files

 - X@Y sent you a copy, click here to review the documents

 - Hello X@Y, Your messages are now queued up and pending delivery because your email has not been verified,you are required to confirm your email account to restore normal email delivery. Login with your email and password to confirm, be sure to do so in a safe and secure manner.

So I keep on educating all staff and just hope...

[bd139]

Turn on multi factor authentication!!!!

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

[PA0PBZ]

Turn on multi factor authentication!!!!

Working on it, but it is not that easy in a global organisation.

[bd139]

You can enable it, then apply it to business groups and indivudual users. Write up a message giving them 30 days to comply with the secpol then enforce.

We have some powershell we run nightly which gives new users 5 days to set it up and bugs the shit out of them. if they don't then it disables their account.

Other option is SSO with Duo or something.

[DimitriP]

Turn on multi factor authentication!!!!

https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide

The goodnews is it didn't happen to me. I heard about it "sideways".
Office365 was sold by GoDaddy to the victim in addition to their hosting package.
When they contacted GoDaddy right after they realized email was going haywire, the stellar GoDaddy support person told them they "hadn't purchased security for their email".
So they sold them "security" for $400 bux!
This security turns out to be named by GoDaddy "Proofpoint Essentials".
Unclear on what exactly it does or doesn't do, or whether multifactor authentication was turned on after this incident.
But now they are $400 more "secure" than before!

[bd139]

LMAO typical GoDaddy that is

They have an office in Slough near me. Someone loved them so much that they wiped dog shit all over their signs a few months back

[DimitriP]

There is no proof I was in the country at the time!!!

[rrinker]

 Proofpoint is an email scanning/filtering service from Cisco. It's a bit above the usual spam filtering, in that it can do other sorts of tests on attachments and block them if they attempt to access known bad web sites, etc.

 However - Office365 accounts all get Exchange Online Protection, you can't bypass it. Of course, there are no rules by default, so you need to configure it.

[DimitriP]

Proofpoint is an email scanning/filtering service from Cisco. It's a bit above the usual spam filtering, in that it can do other sorts of tests on attachments and block them if they attempt to access known bad web sites, etc.

 However - Office365 accounts all get Exchange Online Protection, you can't bypass it. Of course, there are no rules by default, so you need to configure it.

Sometimes the difference between incompetency and business model is faint...very faint.
Sounds like something GoDaddy should be doing when they sell Office365 to unsuspecting users, instead of charging them $400 for "email security" after the account is compromised.

Are you saying that Proofpoint does or does not protect an Office365 account from being compromised ?

[Mr. Scram]

Proofpoint is an email scanning/filtering service from Cisco. It's a bit above the usual spam filtering, in that it can do other sorts of tests on attachments and block them if they attempt to access known bad web sites, etc.

 However - Office365 accounts all get Exchange Online Protection, you can't bypass it. Of course, there are no rules by default, so you need to configure it.

I absolutely hate how due to EOP you can't tell where a link sends you. Office 365 obfuscates it for you and you need to fully depend on their ability tp filter out crap. Their definition is obviously going to be different than mine.

[rrinker]

 Proofpoint can help, but nothing is foolproof, the world just invents better fools.

There is an advanced extra-cost version of EOP that adds the attachment sandbox feature, where it checks attachment files and links in emails, and if they go to known bad actors, they get filtered out. Like Proofpoint, this can help reduce the chances of account compromising phishing emails from getting through, but it's pretty much impossible to prevent. User training is the only real answer - we do internal phishing tests and it's amazing how many people will click a fake email saying their is something wrong with their Citibank account - WHEN THEY HAVE NO ACCOUNTS WITH CITIBANK! How the hell stupid do you have to be? And most financial sites I deal with rather constantly mention that they will never ask you for certain types of information, yet when a fake email comes through, Joe Average will happily provide the information - which they clearly state they will never ask for! You can't fix stupid.

And of course, with all the data breaches these days - even if you use a good secure password, if you use the same one all the time, good luck. You can't prevent someone else's stupidity, but you can guard yourself against the effects of it.