Office 365 Hack
Computer Help is an IT service provider. For those that read this and looking an answer. The only solution was to delete the entire email account and create a seperate new one. The email account had been hacked and started a news feed to receive/send out messages once it was put on outlook. These Office 365 hacks could change your life. These hacks and tricks could save you hours of time every week, keep you more organized, and ultimately, squeeze more value out of your Office 365 subscription. Make good use of them as you continue pursuing your professional goals.
Security company Malwarebytes suspects a breach of its Office 365 and Azure tenancies is by the same attacker behind the SolarWinds hack, but reckons flaws in Azure Active Directory security are also to blame.
Malwarebytes, whose products include widely used anti-malware tools for consumers and businesses, said that it does not use SolarWinds but believes that the same attacker used 'another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments'.
Users of Microsoft’s cloud-based Office 365 product are unaffected by the hack, the company said. Mandiant, another security firm, said in a blog post this week that it had witnessed multiple. Microsoft Office 2017 Product Key is the modern tool. Released nowadays with a lot of advance option. Setup is the free week ago to maintain the official authority and has a lot of new things included in it. Office 365 2016 Serial Numbers. Convert Office 365 2016 trail version to full software.
The attack was spotted because of suspicious activity reported by Microsoft's Security Response Center.
The intruder 'only gained access to a limited subset of internal company emails' said Malwarebytes, and there was no evidence of unauthorised access to internal or on-premises and production environments. Malwarebytes also checked its source code and build processes including 'reverse engineering our own software' but could not find any evidence of compromise, concluding that 'our software remains safe to use.'
I don't really see why credentials can be assigned to default service principals this way and what a possible legitimate purpose would be of this
How was Malwarebytes breached? There is some but not complete information on this subject in the company's report. On Microsoft's cloud, there are directory objects called service principals which can have privileges assigned to them. Service principals are specific to an Azure AD tenancy and represent an application in that tenancy. When admins give permission to an application, they actually give permissions to its service principal.
Users are not the same as applications, but there are techniques by which a user can log in as an application. To do this, admins can assign a password or a certificate to a service principal, and then log in as that service principal, thereby gaining the same privileges as the application.
Security researcher Dirk-jan Mollema considers this to be a vulnerability since it allows application administrators to escalate their privileges.
Office 365 Hack
'I don't really see why credentials can be assigned to default service principals this way and what a possible legitimate purpose would be of this,' he said. 'In my opinion, it shouldn't be possible to assign credentials to first-party Microsoft applications. The Azure portal doesn't offer this option and does not display these 'backdoor' service principals credentials, but the APIs such as the Microsoft Graph and Azure AD Graph have no such limitations.' He reported the issue to Microsoft but was told that it was documented behaviour and therefore not a vulnerability.
Malwarebytes said this was the mechanism for its own breach. 'In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph,' the company said.
It is still necessary to have privileges in order to escalate them so what was the initial attack against MalwareBytes? This detail is not revealed. The nearest thing is a reference to this US government advisory which states that password guessing or unsecured service credentials might (in the general case) be used to compromise an Azure AD environment. Since MalwareBytes says that its internal network was not breached, logic dictates that some external method like this was used.
MalwareBytes' report shines the spotlight on Azure AD security. In this context, the recent FireEye report on monitoring Azure AD security is relevant, noting also that the widely used AD Connect tool, which synchronises on-premises Active Directory with Azure AD, means that villains with unauthorised access to on-premises AD can soon extend their access to the cloud environment. In a report from March 2019, Mollema showed how an AD Connect server can be exploited to gain full privileges on Azure AD.
Symantec has recently reported on the 'Raindrop' malware, which it believes is sometimes deployed by a compromised SolarWinds installation. Raindrop allows remote command and control. Symantec noted activity on a victim's computer that installed DSInternals, which they say 'is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.'
Securing Azure AD is challenging and MalwareBytes references the CrowdStrike tool as useful for mitigation. Along with the tool, CrowdStrike lists a range of steps admins can take, including reviewing access awarded to third parties such as partners and resellers, limiting objects synchronised with AD Connect, cleaning up unused applications registered with Azure AD, enforcing multi-factor authentication for all users, and reviewing Exchange for suspicious rules such as mailbox forwarding.
Microsoft's hybrid approach to the cloud increases the number of possible attacks, but without Microsoft's security intelligence tools picking up suspicious activity, Malwarebytes might still be unaware of the breach of its systems. ®
Note
Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information about this change, read this blog post.
Problem
You may have issues when you try to sign in to Microsoft Office 365. Or, you notice that suspicious activity occurs in your account, such as large amounts of spam that originates from your account.
You may also experience one or more of the following issues:
- The Sent or Deleted Items folders in Microsoft Outlook or in Microsoft Outlook Web App contain common hacked-account messages, such as 'I'm stuck in London, send money.'
- Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
- Unusual credential changes, such as multiple password changes are required.
- Mail forwarding was recently added.
- An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.
Solution
Even after you've regained access to your account, the attacker may have added back-door entries that enable the attacker to resume control of the account.
To help resolve these issues, you must perform all the following steps within five minutes of regaining access to your account to make sure that the hijacker doesn't resume control your account. These steps help you remove any back-door entries that the hijacker may have added to your account. After you perform these steps, we recommend that you run a virus scan to make sure that your computer isn't compromised.
Step 1: Make sure that your computer isn't compromised
- Make sure that you have Windows Update turned on.
- If antivirus software isn't installed on your computer, we recommend that you install antivirus software and then run a scan to make sure that no malicious software is installed on the computer. You can download free anti-malware or antivirus software from Microsoft.
Step 2: Make sure that the attacker can't log on to your Office 365 account
- Change your password immediately. Make sure that the password is strong and that it contains upper and lowercase letters, at least one number, and at least one special character.
- Don't reuse any of your last five passwords. Even though the password history requirement lets you reuse a more recent password, you should select something that the attacker can't guess.
- If your on-premises identity is federated with Office 365, you must change your password on-premises, and then you must notify your administrator of the compromise.
Step 3: Make sure that the attacker can't resume access to your account
Make sure that the Exchange account doesn't auto-forward addresses. For more information, go to the following webpage:
Make sure that the Exchange server isn't sending auto-replies.
Make sure that your contact information, such as telephone numbers and addresses, is correct.
Step 4: Additional precautionary steps
- Make sure that you verify your sent items. You may have to inform people on your contacts list that your account was compromised. The attacker may have asked them for money, spoofing, for example, that you were stranded in a different country and needed money, or the attacker may send them a virus to also hijack their computers.
- Any other service that used this Exchange account as its alternative email account may have been compromised. First, perform these steps for your Office 365 subscription, and then perform these steps for your other accounts.
More information
These issues may occur when your Office 365 subscription has been compromised. In this case, your compromised accounts may be blocked to protect you and your contacts and help you recover your account.
Office 365 Hackers
For more information about phishing scams and fraudulent email messages, go to the following websites:
Office 365 Hacks
Still need help? Go to Microsoft Community.