Office 365 email hacked - what were the possible attack vectors?

A colleague, yes - genuinely a colleague:-) had their Office 365 email account compromised yesterday and used for sending spam. Microsoft caught it very quickly and suspended the account from sending emails outside of the organisation (well done them)

The immediate problem has been fixed - we have changed the password, checked for email forwarding etc. and scanned her mac for malware (none present- according to Sophos)

As the spam was in her sent folder it would appear that the culprits had access to her userid (email) and password - is that assumption correct?

Putting the headers into the message analyser at https://testconnectivity.microsoft.com/ didn’t reveal any IP addresses which makes the microsoft tech support agent I worked with and I think that it was some sort of sending tool the hackers used

What were the possible attack vectors? I have…

  1. A re-used password/email combination, the ‘other’ site was hacked and the credentials tested against Office365
  2. Malware/keyboard logger on her Mac
  3. She (at some point) entered her credentials on a site that she thought was genuine microsoft but wasn’t (as a result of phishing or similar)
  4. Her credentials were ‘sniffed’ while she was working on ‘coffeeshop’ wifi

Questions:

  1. What other attack vectors are there that I should consider/have missed?
  2. Just how likely is it for office 365 credentials to have been ‘sniffed’ on ‘coffeeshop’ wifi?
  3. Is there anything else we should consider following the breach (beyond dealing with password change and email forwarding)?

Note: We use 1Password and she maintains that the password was unique, she wasn’t using cloak (encrypt.me) - she is now :slight_smile:

Thanks @anon41602260, that is what I would have normally assumed what gave me concern was the fact that the outbound mail was in her sent folder which makes me consider the account password was genuinely compromised.

Usually, I would agree a 100%. But… Something does not smell good here:

In this case, I have no other explanation than somebody else having access to her email account. How should a spammer with spoofed emails be able to get his mail into the Office 365’s sent folder without having actual access to the account? And then the question would be how this could have been possible…

One question to ask here: was her password a password that can be brute-forced (part of a dictionary, part of a rainbow table) or was it really a unique random-one?

If it was a random-one and the user is absolutely sure not to have entered the data into a phishing site, all of her devices should be treated as compromised:

  1. It might be a good idea to wipe all devices that have access to 1Password (with the exception of iOS devices) and to install everything fresh again. You will never know with 100% certainty if a device is compromised without doing a erase and fresh install.

  2. If a device was compromised, it might be a good idea to change the 1Password Master Password and to monitor other accounts for unusual activity.

  3. The Office 365 account’s password probably should be changed again after having executed the steps 1 and 2.

No need to do so! :slight_smile: I think you made a really good point. In many cases, “hacked email accounts” are not hacked. Very often, it is indeed mail spoofing. If it was not for the spam mail to be in the sent folder, I would have thought the exact same thing!

In my experience (I see this nearly every day) 99 times out of 100 it’s down to a phishing campaign that convinced your colleague to enter their name and password on a site designed to harvest them. Some of these are getting incredibly convincing and even the non-convincing ones get a surprisingly large number of responses.

If you’re access reputable services (which are by definition protected by TLS), the chances that something was sniffed over public WiFi is pretty much zero. If the service isn’t offering a secure connection of its own, then it’s likely so ineptly managed that it’s been compromised many times over :slight_smile:

3 Likes

I do Office 365 administration for a University, and recently we had a brutal round of phishing that used browser sessions to execute send commands. Meaning someone would click on the link, then that browser session was used to send emails. They would send a few hundred in a few minutes then move on to the next account. In this instance, the IP address wasn’t recorded because the executive session was encrypted in the browser, MS (and
a PowerShell script) confirmed no new devices were added or authenticated in that time frame for the account we used for testing.

Since Office 365 can be a pure browser-based tool, I think we can expect more phishing attempts that don’t require actually acquiring your password, just clicking on a link then in browser send commands can be executed easily. The only real solution is for MS to fix the ability to easily script their interface by either requiring authentication or tab active scripting.

2 Likes

@ACautionaryTale and @joshsullivan thank you for your input - I agree that phishing is the most likely scenario, but hadn’t considered the possibility of the user genuinely having onedrive open in one browser tab and then visiting a site (or clicking on a link) in another tab that enabled something on that site to send email using the cached credentials.

According to https://docs.microsoft.com/en-us/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#RecipientLimits (2/3 of the way down the page) there is a Message rate limit (SMTP client submission only) of 30 messages per minute - which might explain the ‘batch’ sending Josh has seen (if a browser connection uses that mechanism).

This cartoon comes to mind: http://www.jklossner.com/humannature/ (link is to the cartoonist’s site, not one of the copies)

Something to consider for your Organisation is Single-Sign-On using encrypted certificates.
Users won’t require passwords any more. And they will learn they should not enter their passwords ever, except for Windows/Mac login.