Bank M365 email compromised

Posted by ITguydoingITthings@reddit | sysadmin | View on Reddit | 19 comments

I received an email from a bank employee (not a client, not my bank) that was clearly from an M365 compromised account. So I replied to the email as such, and since many of the times replies to these emails are redirected away from the user's inbox, I also contacted the bank with the info via a Contact Us from their website. The response (from their IT Team) was slightly frustrating: The message you received from \[user\] is Spam. Please delete the email and do not click on any of the links. I replied (and this was all via my biz email): Wasn't about to open them, but they were not spam...those were from a compromised account, which I hope has been rectified considering regulatory compliance. Maybe they are taking it seriously, but the response certainly didn't give me that assurance. Should I just drop it, or...?

Reply to Post

19 Comments

[-]

mn540@reddit

Horrible response. As a CISO, it would have gone to a security analyst for review.

[-]

cyberman0@reddit

Let's see, I would force lockout all sessions, reset account password and open outlook with "/cleanrules" then enforce MFA If it's not on. For kicks I would verify all rules are gone with powershell . Make sure the user understands that they shouldn't put outlook on a non company phone, get mdm going for them maybe on a company issued device if they need constant access. If a laptop explains they absolutely should only used approved internet connection or a hotspot from an mdm device under company control etc. The company should also have a security specialist to be notified typically. At least that's where my head goes.

[-]

Dump-ster-Fire@reddit

Excellent suggestions. For o365, there are some other tips online. [https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide](https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide)

[-]

ITguydoingITthings@reddit (OP)

See, you're thinking about resolving. And maybe they actually did. But what follows should then be more honest and transparent...that yes, this incident happened, these were the steps taken, and it's been resolved...

[-]

cyberman0@reddit

Oh of course. That just happens, but it should just be documented in the incident report. I'd honestly probably look at any other access the user had as it could of been compromised. Maybe reset other access on all their accounts across the board related their work/job. This is how they get backdoors into who knows what.

[-]

SirLoremIpsum@reddit

> Maybe they are taking it seriously, but the response certainly didn't give me that assurance. Should I just drop it, or...? Realistically what else can you do? They are not going to give out detailed information to someone via a web form, 'oh yes ITguydoingiTthings, we had an account compromised we are wiping all the computers and performing restores etc" You brought it to their attention and that is all you will ever get realistically right...?

[-]

mattmccord@reddit

Exactly. On the IT side, I would never disclose details to an unknown third party. I’m in data analytics now. Even when I’ve reported these things internally to IT all I get back is “we’ll look into it”

[-]

Danithal@reddit

Action is likely being taken on the bank side, Lawyers are often consulted. A compromise like that is no joke, but they can't mass email "One of our employees gave their account out so all the information they have is available theoretically to anyone." Mitigating damage is full focus at that point.

[-]

Forn1catorr@reddit

Could also be spoofed and indeed spam but you'd think they'd want to dig into it a bit more - the person responding probably isn't super concerned about IT security but their IT department "Should" be

[-]

ITguydoingITthings@reddit (OP)

Not spoofed. The response acknowledged it was from then. And it was absolutely their IT that responded...the web form submission went to their Director of Marketing, who then forwarded to them and asked them to respond. She even included a sad face emoji in that forward to them. 😂

[-]

Forn1catorr@reddit

If it's a publicly traded company they're obligated to report any breaches within a "reasonable" time .. think it's the SEC? Who enforces it could report them if you felt so inclined

[-]

etzel1200@reddit

This sounds like a pretty small operation. Hopefully they get it sorted out and ready up on CA policies.

[-]

100GbE@reddit

How do you know it's a compromised account and not a spoof, or an SMTP relay with loose security on top?

[-]

ITguydoingITthings@reddit (OP)

... unfortunately, experience. Plus the subject and encrypted attachment....

[-]

100GbE@reddit

I'm experienced too - Can you explain how you know it's compromised?

[-]

ITguydoingITthings@reddit (OP)

SPF, DMARC, looking at the entire email header...all good, all going through M365. Valid email, reply-to is the same, and maybe more important, their response (and part that I didn't include, in that the email from their website forwarded from their Director of Marketing to their IT to respond to, made it clear they knew about it, and that it was real.

[-]

rdesktop7@reddit

How do you know that the email was from that employee? m365 is completely useless at verifying where things come from, with no verification. Have you looked at the email headers? Where did the email originate?

[-]

cspotme2@reddit

That is a cya response or one where they think spam covers everything. It's why they said what they said to delete and not click any links. I've seen enough responses from "it directors" who choose to either intentionally put it this way or they have no freaking idea to say it's a phishing email.

[-]

chillzatl@reddit

I would not just drop it, but that's me. I'd contact the bank by phone and ask to speak to someone up the chain.