Compromised Email Account

Description

Resolution for users experiencing a compromised Office 365 email account. Estimated time to resolution: 1hr+.

Issue Synopsis

An Office 365 email account was breached and unauthorized emails were sent from the account. 

Resolution Summary

Documentation provided for breach remediation along with how to configure Office 365 and SaaS Alerts integration with RocketCyber.

Step-by-Step Instructions

1. Gather Essential Information

• Identify the affected email account

• Document the breach time and date

• Verify if the user or group is monitored in RocketCyber

• Confirm whether alerts were generated in SaaS Alerts or RocketCyber

2. Immediate Remediation Steps

A. Investigate the Breach

• Follow Microsoft’s guide: Responding to a Compromised Email Account

B. Remove Malicious Rules and Forwarding

• Detect and remediate malicious rules: Outlook Rules and Forms Attack

• Remove auto-forwarding: Manage Email Forwarding in Admin Center

• Review inbox rules: Manage Email Rules

C. Audit the Account and Data

• Search audit logs for suspicious activity: Audit Log Search

• Enable audit data collection: Configure Audit Data

• Review SharePoint and other services: Audit Search

3. Secure the Environment

A. Update Access Policies

• Apply conditional access policies by location: Conditional Access Location

B. Device and User Management

• Configure device restrictions: Device Restrictions in Intune

• Enforce device limits: Device Limit Settings

• Manage user identities: Identity Management in Intune

C. Apply Microsoft 365 Security Best Practices

• Review and apply recommendations: Secure Your Business Data

4. Address Monitoring and Integration Gaps

• Confirm if RocketCyber is enabled for monitoring.

• Ensure all users and groups are listed in RocketCyber for proper incident tracking

Warnings and Callouts

• Note that RocketCyber SOC does not actively monitor SaaS Alerts unless accounts are integrated

• SaaS Alerts provide automated detection but may not be monitored by SOC until integration is complete with RocketCyber

• If integration is not configured correctly, future breaches may go undetected

Useful Links

• Responding to a Compromised Email Account

• Conditional Access by Location

• Microsoft 365 Security Best Practices

• Outlook Rules and Forms Attack

• Audit Log Search

• Intune Device and User Management