Another Office 365 Exploit Horror Story

Office 365 Hacker ExploitRecently, another IT Managed Service Provider shared an all-too-familiar tale of a client whose Office 365 account was hacked and the problems that resulted.  We thought we’d share the tale with you.  This is a true story but the identities have been removed to save them the embarrassment of being identified.

A client who preferred to do most of their own IT support reported that all of their inbound and outbound email were bouncing with an error saying that their Yahoo mailbox did not exist. One of the MSP’s engineers logged into their Office 365 account and found that there were transport rules in place that were forwarding all of their inbound and outbound email to a Gmail account. Obviously the Gmail account in turn was being forwarded to the now defunct Yahoo account and that was generating the bounce back error messages.

After fixing all of the tampered account settings, he reached out to Microsoft to see what information could be gathered about how those rules got changed.   Logging was turned on for the account but it only went back 90 days and the rule changes pre-dated that.  That meant that this hack had gone undetected for at least 3 months!

Talking with the client further then revealed that some of their customers had received invoices via e-mail from them with instructions on how to wire payments to bank accounts that they didn’t own.  Clearly the ‘bad guys’ had sent these bogus emails using their faked identities and their access to Office 365.  Worse yet, several of their customers did wire money and thousands of dollars were misdirected to the “new” bank accounts.  In one case alone the payment was more than $40,000.  It looks like the total loss could exceed $100,000 in funds that have been stolen.

The Managed Services provider used a Dark Web investigative tool and determined that the password was probably stolen in 2016 via keylogger malware that infected one of the client computers that was used to administer the Office 365 accounts.

We’ve seen a virtual explosion in these types of exploits and it’s projected to get even worse in the coming year. We advise all of our clients to consider Dark Web monitoring tools like our Dark Web Security Sentinel to watch for critical credential breaches of the networks and users.

Local businesses should also be aware that more and more business liability insurance policies are excluding coverage for cyber- risks.  You should check with your insurance provider and ask for cyber-risk protection either via an endorsement to your existing policy if available or a separate cyber-risk policy to protect your business.