4 Critical Steps to Take When a Microsoft 365 Security Incident Occurs


The dreaded phone call. A customer reaches out and just has a bad feeling. Kathy in human resources received an email from Jane asking for her next paycheck to be deposited in a different account. It was late Friday afternoon and Jane was looking for Kathy’s “prompt assistance” before forwarding her ACH information. Red flags galore, right?

Luckily Kathy thought so, too. Instead of responding or simply ignoring the message, Kathy contacted her managed service provider (MSP)—SaaS Alerts partner Ben Jones, with Central Technology Solutions (CTS)—to find out what she should do next.

Why? Because CTS had discussions with the client about how to identify things like wire fraud and business email compromise. And they have a policy in place for them to call or email before doing anything when they spot something “phishy.”

What should MSPs do when they receive the dreaded phone call? Here’s what Ben did.

In this case, the email wasn’t phishing, but a business email compromise (BEC). The email was sent from Jane’s account, so you know someone gained access. But how? Ben’s first thought was, “Oh no! They didn’t have MFA turned on. They got brute force attacked and some hacker went out and downloaded their credentials.” But they did have MFA (multi-factor authentication) turned on.

This was becoming a real head scratcher. And a scary reminder that MFA is not the end all, be all that everyone hopes it is.

Ben’s next step was to look at the logs. That’s where he found the IP address of the bad actor, who used Outlook Online to log in to Jane’s account. What he also noticed was the MFA requirement was satisfied by the claim in the token. But how?

Oftentimes, it’s a case of MFA fatigue on the part of the end user, where the user gets a prompt for the Microsoft approve button and simply hits it without paying attention. This is becoming quite common. It could also be the work of token harvesting through an evil proxy.

Let’s take a look at how the attack happens.

Token Harvesting Attack Chart

You’ve identified this is a real breach. What are the critical steps you need to take?

  1. Logout of all sessions.
  2. Reset Account password
  3. Check for rules. (TIP: This is the number one thing hackers do when they gain access to an account. They set up forwarding rules to catch any information that goes back as a response from the original email recipient. Typical locations are “RSS” folders or the Archive folder.
  4. Audit recently accessed files to see what the bad actors may have viewed while they were logged in.

Why the audit? Chances are the email was just the tip of the iceberg. It’s important to note that once a bad actor is in, they have access to everything in the Microsoft 365 universe. In situations like this, you tend to see a lot of file activity in the form of extra downloads, extra file modifications, and SharePoint sharing. (TIP: With SaaS Alerts, you can set different file activity thresholds and get alerted if the threshold is exceeded.)

A more sophisticated actor will take this a step further and access Microsoft Teams. They’ll ask to join groups, and by joining groups they’ll get access to even more data. They may even request privileges to see certain folders in SharePoint that they otherwise wouldn’t have access to.

The depth of access depends on how long the bad actor goes undiscovered. Their goal is to be sneaky and act like they’re your colleague. They want to impersonate someone else, a common tactic of a spearfish attack. Remember, for Office 365 accounts a business email compromise is also an Office 365 account compromise.

In the case of Jane and Kathy, they were fortunate. CTS had SaaS Alerts enabled and when the bad actor did log in from an unknown IP address, SaaS Alerts saw it and kicked them out.

As an MSP, it’s impossible to prevent attacks like these from happening. That’s why user education is key. Phishing will continue to get more sophisticated and people will get fooled more often, especially with new phishing-as-a-service (PhaaS or PaaS) platforms such as “Greatness” being leveraged.

Continuous education and conducting tabletop exercises with your customers will help them understand what to look for and what to do if they see something about which they’re uncertain. And of course, for those clients that aren’t as diligent as Kathy, SaaS Alerts can help.

Special thanks to Ben Jones with Central Technology Solutions for his contribution to this blog article.

Get Started

Request a Demo