Hi guys, not sure what’s been going on in the criminal underground but across the board we’ve been receiving reports of a dramatic increase in phishing emails and business email compromise. That’s been across all industries, especially those using Microsoft Office 365 for email. As if we don’t have enough problems, now this!
Although we’ve reached out to the FBI for guidance, what we’ve noticed is that a lot of these emails are coming from a compromised service, specifically notion.so which is a legitimate service but they’ve clearly been compromised and now distributing malicious payloads to users mailboxes. Worst of all, these emails have been in disguised as people who sent emails in the past.
Here’s what the emails have looked like:
From: Admin Assistant <email@example.com>
Sent: Wednesday, June 17, 2020 10:18 AM
Subject: FOLLOW UP
Jennifer Vasquez shared a file to you to review, find pdf link below.
Please Follow Ref#BCI02368832<https://www.notion.so/SECUREFILE-957c0d851f1444a39a184489e8a65e07>
This email contains a secure link to Onedrive. Please do not share this email, link, with others. Questions about the Document(s)?
If you need to modify the document(s) or have questions about the details in the document(s), please let me know.
If that link is clicked, it delivers a malicious payload onto that pc that sits and waits for instructions from the cybercriminal. But, what we’ve seen happen is that the Office 365 email account gets hijacked and starts sending start messages, spamming people in your name and delivering the same payload that got your computer infected in the first place. Well, what can you do? I can tell you what to do now, before you have to do cleanup, or you can wait until reputation damage has occurred. Your choice.
Step 1 is to figure out if anyone from outside of the country has been able to successfully log into your users account without permission. To check this, login to portal.azure.com with your Office 365 credentials and click on Azure Active Directory.
Next, go to Sign-Ins and look at the Location column. If you’re seeing logins from Africa, Denmark, Croatia or any other country that’s far away and outside of US jurisdiction you’ve got a problem and it’s time to take action.
Step 2 is to turn-on 2 factor authentication for your Office 365 users. To be fair, this should really be enabled for all of your employees. But, that’s up to you. Either way, it’s easy to turn on, just go to the list of Office 365 users in your account, click on any user to edit and click on Manage multifactor authentication. From that portal you can turn on or off MFA for any of your users. What this is going to do is either text your users a code or require them to approve a login from the Microsoft Authenticator app before being they can log into their account. Don’t worry – it won’t ask them to enter a code every time, only when they add a new device to their account. The Authenticator app is free and can be downloaded onto android or iOS devices although text messaging is easier if you have to enable this on a lot of accounts at once.
Step 3 is to change the password on the user account and kick the criminals out of there. To do this, have the employee log into their Outlook web access portal – the website is outlook.office.com, click their profile image, click profile and choose change password. Next, on the same profile page, have them click sign out everywhere and click yes to confirm that they want to sign out all of their sessions and devices. This will kick the bums out of the account and stop the bleed.
Step 4 is to eliminate any rules that the cybercriminals setup in that account that could be forwarding inbound emails to them or cleaning up their tracks. These guys are smart, so there’s a good chance they set up some nasty rules in the compromised mailbox. To clean this up, from the same Outlook web portal, click on the gear icon to open settings and type in the word “rules” as your search term. Up will come the results and the first one on the list is Inbox Rules. Go through there and make sure the cybercriminal isn’t forwarding your emails out, deleting messages or doing anything unusual that would still allow them to damage your company’s reputation.
Be on the lookout guys as we have been seeing a lot of this lately. It’s a real problem and if you are in charge of IT, you know how quickly this can get out of control. I encourage you to make sure you have a good security awareness training program in place so that users don’t get duped by these clowns.
Stay safe out there.