Best way to email recipients of a hacked email account
Posted by ExLibrisMortis@reddit | sysadmin | View on Reddit | 17 comments
We had an O365 user account get compromised and proceeded to send out an email blast to a couple thousand other email addresses. It looks to be a forward of the email that compromised this user's account.
Security steps to lock down the account and and check for further damage has been completed already. MFA, etc have all been reset and user educated.
I know that Microsoft has limits on email sending.
What is the best way to alert all those email addresses of the situation?
engageant@reddit
This may be an unpopular opinion, but I wouldn't do anything. You've mitigated the issue and taken further steps to prevent it from happening again. Don't raise more red flags by sending out an alert when there was no compromise of the recipient's data on your side.
Lukage@reddit
I'm gonna say this should be a popular opinion and the best action for the IT Department.
Ancient_Decision_132@reddit
Yes, we had a similar issue and our lawyers told us it’s best not to give an explanation to everyone potentially affected. That opens a can of worms.
ExLibrisMortis@reddit (OP)
C-stack is requesting the email be sent. We work at their behest /shrug
Unable-Entrance3110@reddit
We also had one recently. What really helped us is that we had previously set up outbound limits far below the Microsoft defaults. Therefor the malicious sender could only blast out a few hundred e-mails before being cut off and we were notified.
Definitely want to look at your mail flow statistics and set your limits slightly above that.
SkidiKatKat@reddit
Have you done a email recall?
SmallBusinessITGuru@reddit
Post to your web site's news section.
If anyone complains, offer them a very generous $5 Ubar Eets gif card.
RatsOnCocaine69@reddit
Excuse you, it was $10!
Ancient_Decision_132@reddit
I recommend consulting your lawyers before sending out an alert about being hacked. Sadly you can expose yourself to legal issues if other companies are financially impacted after being hacked themselves or can even try to blame non related security issues on you. Also it’s important to word the notice correctly if you do end up sending one.
cyberman0@reddit
Fyi Check for hidden rules (powershell) or run a /cleanrules in outlook start. The rules can be made in such a way they are not visible in the client or OWA.
If you have done all that pls ignore me blathering.
Vel-Crow@reddit
Message trace with the compromised sender as the sender.
Export all results.
Run a script to iterate through the receipient addresses. Pause between iterations to make sure you don't throttle yourself.
ExLibrisMortis@reddit (OP)
Gotcha ok. We have already exported the list of addresses so we're good there.
Any recommendations on a script for emailing those users?
Vel-Crow@reddit
I use send-mail message: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.4
$users = import-csv c:\path\to\csv
Define: SMTP Server, Credentials, from, subject, body
foreach ($user in $users){
$to = $user.email
send-mailmessage -to $to *other variables*
pause -seconds 2
}
ExLibrisMortis@reddit (OP)
Thank you! That'll get me started. Really appreciate it!
thortgot@reddit
Same way you'd do any kind of email forensics. Use compliance search to export the list the emails affected.
ExLibrisMortis@reddit (OP)
Yeah we got those. Just trying to figure a way within our Microsoft tenant that we can reach out to those addresses without throttling.
thortgot@reddit
Do it in batches. The same way the original emails were sent
They won't count against your external recipient limit since you already emailed them within the same period of itme.