Business Email Compromise Protections and Recovery Actions
In June of 2018, Crowdstrike published a blog post which outlines capabilities to pull forensic evidence from Microsoft Outlook after a business email compromise. Shortly after, these capabilities were removed and no longer available. We’ve increasingly been asked to assist with business email compromise and there have been a few key takeaways from our research.
Unfortunately, if you are only using OWA or Outlook email and no other Microsoft services (like Azure AD) your options are limited for protecting yourself. However, there are a few action items you can take before a compromise and some activities you should do after to patch things up.
Action Items Before a Breach
Some of these items are more valuable than others, but a defense in depth approach to securing your email is necessary. Almost all security controls are related to passwords and authentication. All of these settings can be configured by you global administrator. For additional recommendations, your organization will want to access the Microsoft Security and Compliance Center.
Here’s a summary of recommendations:
- Require password resets after a defined period of time
- Do not allow password reuse
- Require a strong password complexity policy
- Require two-factor authentication
- Turn on Audit Logging
- Set up email alerts for predefined conditions
How to Clean Up After a Breach
Should you have a breach, there are several action items you should take to restrict the compromised account and prevent further unauthorized access.
With an administrators account, reset the compromised user’s password. Uncheck the option to send the new password via email.
(Admin > Users > Active Users > Compromised Account > Reset Password)
Check for forwarding addresses. Hackers will attempt to forward mail and may circumvent password changes or other security controls if these rules are configured during the compromise
(Mail Settings > Email Forwarding > Edit > Turn Off)
Double check your Email Alert configuration to ensure you are detecting suspicious activities
(Your organization can set alerts here)
Check for suspicious Inbox Rules
(Access compromised account > Gearbox Settings > Review rules > Disable/Delete Unauthorized Rules)
Check if the account has administrative privileges
(Remove administrative privileges until the account has been restored)
Review audit logs to determine information around the compromised account
If your company has experienced an Office 365/OWA compromise, it may be time to start thinking about your security program. Typically, these issues can be solved through security awareness training and testing, defined policies and procedures, proper monitoring implementations, and activation of your incident response plan. Need some help? Rigid Bits offers services to help you protect your organization and reduce your overall risk exposure. Contact us today!