Hacked Microsoft Office 365 Investigation

Hacked Microsoft Office 365 Accounts

Office 365 Phishing attacks are on the rise, spear phishing and social engineering methods are used to steal O365 user data, including login credentials. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email that contains a URL to share a file via sharepoint. Office 365 attacks are classified as Spear phishing  that consist of email spoofing attacks, targeting a specific organization or individual, seeking unauthorized access to sensitive information such as email accounts or file share.

The common Microsoft Office 365 attacks occur when a target, an O365 user gets an email with a link to access a SharePoint document, the type of message Office 365 users receive everyday within their organisation, the sharepoint platform is a standard at millions of companies. The attack happens when an email is sent to a 0365 user, the email is spoofed and the sharepoint hyperlink is a fake. The office 365 user easily gets duped into clicking the URL to access the file, often described as a PDF, but what opens is a spoofed landing page opens where the target is asked to provide their Office 365 login credentials. This is how the hackers / attackers gain access to critical internal email accounts and sharing Office 365 systems, by stealing users login credentials.

Hackers are targeting large organisations that run on office365 and specific targets are group mailboxes. Digitpol investigates hacked office 365 accounts and O365 fraud on a daily basis and can identify if hackers are still active within an organisation and identify how the attack took place. 



How BEC Fraud Works:

Cyber criminals find ways to hack into the email servers or accounts of small and medium companies, often targeting companies or investors conducting business with Asia countries. Cyber criminals gain access to email accounts and  search through email accounts looking for sensitive information such as outstanding, unpaid invoices or data relating to financial transactions and business between supplier, vendor and clients. When cyber criminals identify a sale or a due invoice, the fraudsters then send various fictitious emails from the hacked email account or an email address replicated to the original posing to be in charge of the sale or due invoice to be paid, the fraudster is then asking for transfers of funds into a nominated bank account, usually giving an excuse that there is a problem at the bank and an alternative account needs to be used.

What Victims Need To

If you have transferred funds to a bank account in error, the following is urgent.

  1. Report the incident as soon as possible to your local police in the country you reside in. Obtain the Police report or case number.
  2. Immediately alert your bank the transaction is fraudulent.
  3. Report the case to the Police in the location of the transferred bank account or engage Digitpol and its legal team to act for you by reporting the complaint to the Police and conducting an Investigation by liaising with the Police and the banks.
  4. If you have not transferred funds or have not been requested to transfer funds, alerts your payments department to put all payments on hold pending approval and start the incident response protocol.

How Can We Help

Digitpol's Cyber and Fraud Team are certified examiners and can assist to all cases related to Office 365 and Email phishing attacks, email scams and fraud. Digitpol can deploy computer forensic examiners to investigate the hack, determine how it took place and report the findings, Digitpol ensures that hackers are not active in your network and ensure your user accounts policies and rules are configured correctly to prevent further attacks. The following points are the first in each O356 attack investigation.

  1. Forensic analysis of logs using certified analysis tools, all O365 IP and registry logs with operations such as, User Logged-In logs / User Login Failed / Inbox Rules / change of Inbox rules or policies / change passwords of Microsoft Office365 accounts involved in the attack and suspected accounts or all accounts.
  2. If an account holder was hacked by content, attachment or phishing email, we can conduct forensic analysis on suspected emails, headers related to the attack, outgoing and incoming. Email Files are required in raw format (.msg or .eml files).
  3. Forensic examination of targeted computers, phones, tablets, forensic analysis of devices to discover malware or active intruders.