Office 365 Business Email Compromise Protection and Recovery

Business Email Compromise Protections and Recovery Actions

In June of 2018, Crowdstrike published a blog post which outlines capabilities to pull forensic evidence from Microsoft Outlook after a business email compromise. Shortly after, these capabilities were removed and no longer available. We’ve increasingly been asked to assist with business email compromise and there have been a few key takeaways from our research.

Unfortunately, if you are only using OWA or Outlook email and no other Microsoft services (like Azure AD) your options are limited for protecting yourself. However, there are a few action items you can take before a compromise and some activities you should do after to patch things up.

Action Items Before a Breach

Some of these items are more valuable than others, but a defense in depth approach to securing your email is necessary. Almost all security controls are related to passwords and authentication. All of these settings can be configured by you global administrator. For additional recommendations, your organization will want to access the Microsoft Security and Compliance Center.

Here’s a summary of recommendations:

  • Require password resets after a defined period of time
  • Do not allow password reuse
  • Require a strong password complexity policy
  • Require two-factor authentication
  • Turn on Audit Logging
  • Set up email alerts for predefined conditions

Here are some links from Microsoft that will help:
Password Policy
Password Complexity
Audit Logging
Email Alerting

How to Clean Up After a Breach

Should you have a breach, there are several action items you should take to restrict the compromised account and prevent further unauthorized access.

With an administrators account, reset the compromised user’s password. Uncheck the option to send the new password via email.

(Admin > Users > Active Users > Compromised Account > Reset Password)

Check for forwarding addresses. Hackers will attempt to forward mail and may circumvent password changes or other security controls if these rules are configured during the compromise

(Mail Settings > Email Forwarding > Edit > Turn Off)

Double check your Email Alert configuration to ensure you are detecting suspicious activities

(Your organization can set alerts here)

Check for suspicious Inbox Rules

(Access compromised account > Gearbox Settings > Review rules > Disable/Delete Unauthorized Rules)

Check if the account has administrative privileges

(Remove administrative privileges until the account has been restored)

Review audit logs to determine information around the compromised account

If your company has experienced an Office 365/OWA compromise, it may be time to start thinking about your security program. Typically, these issues can be solved through security awareness training and testing, defined policies and procedures, proper monitoring implementations, and activation of your incident response plan. Need some help? Rigid Bits offers services to help you protect your organization and reduce your overall risk exposure. Contact us today!

About The Author
Rigid Bits
Rigid Bits
Rigid Bits is a cybersecurity firm that helps businesses identify and reduce their cybersecurity risks through consulting, professional services, and technology. They work closely with leadership and IT teams to help them test and reinforce the security of their environment while meeting compliance requirements and best practices. Rigid Bits also helps businesses become more prepared to stop cyber-attacks and supports breach investigation efforts with their digital forensics and incident response services.

Let’s Discuss Your Needs

Our experience with hundreds of businesses across diverse industries provides us with the expertise to understand your unique challenges.