365 Problem
Posted by mdhorton404@reddit | sysadmin | View on Reddit | 31 comments
I have a client who moved their domain mail to Microsoft 365. They got hacked a few months ago and kept trying to disconnect the hacker by changing passwords to no avail. I got invovled and decided, since we could not see any logins except from within the company, to reboot all the router and switches. That seemed to stop the problem. Now, a month later, some of their customers are getting invoices saying they owe money and to send payment via ach. We have looked again and see no unauthorized logins. Thankfully, the bank where the ACH was being sent flagged them as suspicious and froze the account, however companies are still getting invoices. We still don't see any suspicious logins.
I think the emails are coming from somewhere else, but I have not been successful in getting the headers to see if they are spooffed or not. Any one have any suggestions on how we should proceed. I am not a 365 expert, but have run mail servers for 30 years. Microsofts security is really lax.
crystalbruise@reddit
Classic BEC pattern - attacker likely set inbox rules or registered an OAuth app to send silently. Check mail flow rules, connected apps, and delegated permissions. This is exactly where ITDR is critical - it shows the full timeline of attacker actions inside the tenant. Guardz has ITDR built in, alongside Check Point email security, so you catch and reconstruct what native M365 logs miss.
LeidaStars@reddit
This is a textbook BEC scenario. The attacker likely established persistence after the initial compromise so simply resetting the password won’t fully remediate the issue. Review mail flow rules, delegated access, and connected applications. An ITDR solution is appropriate here, as it can reconstruct the attacker’s activity timeline within the tenant. Guardz, with built-in ITDR and Check Point email security, enables you to trace exactly what actions occurred and when.
CherrySnuggle13@reddit
Classic BEC pattern. The attacker almost certainly set silent inbox rules or registered an OAuth app after the initial compromise, so password resets alone will not remove persistence. Pull your mail flow rules, delegated permissions, and connected app list. ITDR is the right tool here because it reconstructs the full attacker action timeline inside the tenant, and Guardz has ITDR built in alongside Check Point email security so you can trace exactly what happened and when.
Embarrassed-Gur7301@reddit
So ask your customer to ask their customer for the original email instead of chasing your tail.
mdhorton404@reddit (OP)
That is what we are trying to get them to do, but so far, no go. The client who is receiving the bad emails is just paying them, lol. They supposedly called my client to confirm, but I suspect that they called a number provided by the bad actor, cause client says they didn't receive a call.
roll_for_initiative_@reddit
To be direct:
This isn't on MS, your client basically let them in
You haven't done the basic email account remediation steps that are available online, and it sounds like you don't even know how.
Rebooting the router and switches has nothing to do with anything. And if it did, and they got in because of a firewall or switch security exploit, rebooting them wouldn't prevent them from just doing it again.
m365 account remediation is one of the only services we offer to businesses outside of a managed services agreement as a one time engagement. Pricing starts at $2500 and goes up from there; that should give you an idea of the effort involved to not only resolve this, but provide actionable reporting.
mark35435@reddit
Some mods prevent suggesting AI but I've found it great for such stuff, my system is x y z and I'd like to check all possible security settings to ensure we are safe from attack and have not already been compromised. It'll check the email header as well if one of your customers forwards the email as an attachment. Frankly though you're clearly out of your depth
Fatel28@reddit
This could also be typed into Google and you'd find non hallucinated answers
CorrectMachine7278@reddit
I suspect they run Outlook with Office 365 email on iPhones or mobile phones. I've had 4 accounts run into something similar. Took me forever to figure it out the first time it happened. I had my customer uninstall Outlook from mobile phones to resolve. We added it months later problem did not return.
woemoejack@reddit
I can fix this for you but my contracting rate is $125/hr, minimum 4 hours.
MSPInTheUK@reddit
Given that your solution to a suspected Microsoft 365 account compromise was to reboot the network equipment, the kindest advice would be for the client to find an IT provider that actually knows what they are doing. You see to be in the ‘knows enough to be dangerous’ camp.
tndsd@reddit
Please make sure the domain has SPF, DKIM, and DMARC configured correctly to help protect against spoofing. SPF should only include authorized sending servers, and DKIM must be enabled in Microsoft 365. DMARC should be set with at least a quarantine or reject policy.
You can check the full email headers of the suspicious messages to identify the actual sending IP address and review the “Received” chain. This will confirm whether the messages were sent from your Microsoft 365 tenant or spoofed from an external server.
If there are no unauthorized logins showing in Microsoft 365 audit logs, it is very likely these invoices are being spoofed from outside your environment rather than sent from the compromised account.
Unfortunately, some of these scam emails can still pass through recipient systems even when Microsoft 365 security is properly configured. That’s why proper domain authentication (SPF/DKIM/DMARC) and monitoring DMARC reports are very important.
ArcaneGlyph@reddit
Plug the domain into mxtoolbox.com email super tool and make sure it passes all the tests for email. As said above, without these in place you can be spoofed.
Pure_Fox9415@reddit
Wdym " I have not been successful in getting the headers"? They did not send this mail to you for forensic?
Pristine_Curve@reddit
Contact your cyber insurance carrier to report the breach, ideally via phone. Engage with the security specialist that they send. Or if this is not available engage a security consultant.
Not enough detail in your post to close any of the normal avenues of investigation, nor to really understand the context of your environment. Any guidance would boil down to "start a comprehensive incident response process."
trebuchetdoomsday@reddit
LOL, their what?
RagnarTheRagnar@reddit
I have a creeping thought that they aren't actually within the tenant, but are using Direct Send to bounce emails off the O365 instance to submit them to clients. Basically I submit bad emails directly to the O365 endpoint like a poorly configured app/scanner is, and then O365 not having a clue will attempt to deliver the email. In our case, either to the internal user as a spoof or directly to the other tenant they are targeting as a valid invoice.
Usually this problem happens because O365 isnt configured to reject messages that don't arrive from a 3rd Party Email Filter services or from other non-specific sources. You need a mail flow rule that blocks all messages that don't arrive from that trusted end point. Otherwise you should disable direct send and make sure all apps/services are identified via Connectors in Exchange Online. May break scanners or scan to email if you use it.
dmarclytics@reddit
The domain you are trying to protect have you setup dmarc? It may not be coming from inside the organisation and maybe phishing I would recommend setting up DMARC to get visability of who is sending and then lock it down
mdhorton404@reddit (OP)
We do have a DMARC, SPF and Domain Keys. If I could see the original header I could see where the are coming from.
rubbishfoo@reddit
I'd find out what email address these are being sent from. Potentially, you've found your 'threat actor in the mailbox' at this point. Expire sessions, revoke auth'd devices, revoke MFA methods, change password, disable account. Next, contact the user to see where access could have been compromised.
dmarclytics@reddit
Great are you reviewing your rua (aggregate reports) are you only seeing Microsoft 365 on there? In your rua reports you will be able to see the sending server ip address the spf return path and the dkim selector used
EroticTragedy@reddit
You did say that the client moved their domain mail to 365, what were they using before? Another PoP client, Workspace, Webmail? Could it be possible that it's someone within the company itself that is taking advantage of their own position? I ask this because it's not the first time I have heard and dealt with this specific problem and unfortunately there's usually some kind of bad actor. Any new email addresses added to the network?
IRideZs@reddit
A bad actor compromised an internal account. OP didn’t change the password or enable MFA on any account so the bad actor is sending different direct deposit details to the clients and the employee is not educated enough to avoid phishing scams. Classic situation tbh
OR
The clients themselves are receiving spoofed emails and are not educated enough to understand the difference
Likely the first scenario based on OPs responses and description. Has nothing to do with rebooting infrastructure equipment or changing mail providers
Fritzo2162@reddit
Fun bit of trivia:
If someone spoofs the email of someone in the company (IE: sallyg@mycompany.com) it can bypass your spam filtering if you're not set up to do inter-domain spam checking. Make sure your spoofing tools and Exchange transport rules are tweaked to prevent this.
SukkerFri@reddit
I just recently found a Enterprise App in my org., with Microsoft Graph permissions "mail.send" and with not limitations (no Application Access Policy). So if you got one of those laying around or an Enterprise app recently created, I would strongly advise to take a look at that.
I get that a normal user just cant use that app, but with the things you are describing, its more than just a user thats been compromised.
I've also heard about mail connectors, routing all mails from specific senders (finance for example), through a proxy, which changes bank informations automatically on certain invoices above xxxxx amount of money.
You do not mention how big this tenant is, but you should consider creating another tenant and starter over, unless you can pay somebody, who would put a years wage on the line for fixing it. If somebody says "Yup, that _should_ fix it", just switch tenants...
IRideZs@reddit
r/techsupport
Due_Peak_6428@reddit
If you cant even figure out where an email is coming from then youre cooked. Hire someone that can do the bare min.
solracarevir@reddit
OP is probably the "Bare Minimum" they hired.
Gramuny@reddit
Is this serious? I feel sorry for your client. Please escalate this immediately to someone who actually knows what they’re doing. That’s the bare minimum one should expect from a service provider.
dmarclytics@reddit
Great to know you have DMARC setup but are you reviewing your aggregate reports from DMARC to identify what services are sending on your behalf?
matt0_0@reddit
They need to find someone who has experience locking down m365. Everything from exchange online, to defender (many different pieces of just defender) and especially entra with conditional access policies.
Do their current licenses include at least entra ID p1?