Hacked by legacy authentication O365 question?

Posted by Sdubbya2@reddit | sysadmin | View on Reddit | 12 comments

Hey guys, I'm helping out a company that didn't have legacy authentication disabled on their tenant, a user was hacked and they bypassed MFA using that method. The account was shut down and kicked out within about 10-15 minutes after they sent a phishing email to a bunch of people. My main question is, are there anyways to find out how much if any of the mail from the mailbox was downloaded? Also besides obviously disabling legacy authentication which has been done and verifying everyone is on 2 factor authentication/resetting all user passwords, are there settings changes you guys would suggest?

Reply to Post

12 Comments

[-]

bigrigtrig@reddit

If the exchange logs were turned on that include MailItemsAccessed, you would be able to see what was observed at the time. That's assuming it was turned on. But I believe Microsoft did make those logs available even without an E5 license, after that hack a while back. Building out some conditional access policies might help in the future, depending on how your users access M365 resources.

[-]

The-CS-Machine@reddit

I thought legacy auth was disabled in all 365 tenants last year?

[-]

Sdubbya2@reddit (OP)

Is that if the tenant was created after last year? I also heard something about Microsoft back tracking after that? I had to add a conditional access policy for it as they didn’t have one there

[-]

The-CS-Machine@reddit

Beginning in early 2021, we started to disable Basic authentication for existing tenants with no reported usage. Beginning in early 2023, we disabled Basic authentication for all tenants who had any type of extension. https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-time-s-up/ba-p/3695312

[-]

Sdubbya2@reddit (OP)

Weird I’m still seeing attempts blocked by legacy auth but I’m guessing that means the person got phished with either getting a token or man in the middle? I’m honestly not well versed in all this stuff just trying to do my best to get them more protected

[-]

The-CS-Machine@reddit

If you seeing attempted blocked by legacy auth that is a good thing. It means someone is trying to connect using legacy auth and it is being denied. I suspect it’s something else.

[-]

Sdubbya2@reddit (OP)

Yeah I think it was phishing, I just don’t know how user doesn’t remember anything. Worried about it happening again

[-]

sleightof52@reddit

Probably this attack: https://www.hypr.com/security-encyclopedia/adversary-in-the-middle

[-]

The-CS-Machine@reddit

My tenant was created in 2015, and Microsoft turned off legacy auth last year. I thought it was for everyone.

[-]

Sdubbya2@reddit (OP)

Does it show a conditional access policy for you? Or would it not show if they do it by default? The other thing would possibly be a token phishing attack? I added a policy for non persistent browser tokens as well do you think there are any other good adds on that front?

[-]

The-CS-Machine@reddit

I’m pretty sure it doesn’t appear anywhere as an option anymore.

[-]

Sdubbya2@reddit (OP)

It was a template option for me when I added it. Any idea why bad actors would still be attempting these attacks if Microsoft has disabled them by default?