skillfulness by virtue of possessing a special knowledge

Hackers/Scammers are using increasingly sophisticated methods in their attempts to steal money from people. Organisations that are using Microsoft’s Office 365 email servers are potentially at significant risk, particularly if they’re using the default/standard Office 365 configuration settings.

Description of the risk

If your Office 365 server is set up with the default/standard configuration and a third party (a ‘Scammer’) has access to your Office 365 login credentials, they can program automated actions on your account that will enable them to communicate (as if they are you) using your email account and you’ll never know it is happening. The problem is significant enough that Microsoft are writing about it themselves, read what they say here.

How can a Scammer get your login credentials? There are lots of ways but one significant risk is that they hack in to Microsoft’s systems and steal tens of thousands of credentials at a time (Hey, if they can get in to Facebook, Twitter, the US Gov’t, the UK’s public hospital network, Europe’s power supply network, etc etc, they can certainly get in to Microsoft ... and, given that there are hundreds of millions of users of Office 365, one can reasonably expect that it is a huge target for them).

The most obvious use of this particular type of scam is to tell your customers that you’ve changed bank accounts. And because they are writing to your customers from your email account, your customers will have no reason to believe the email is not from you. Moreover, if your customers do a technical ‘check’ by looking at the mail headers, it will confirm that the email most certainly came from your account.

People have and will lose tens if not hundreds of thousands of dollars as a result of this particular scam, but there are a few simple steps that you can take to help protect yourself and your business.

1. Ensure everyone’s computers are free from viruses and malware/spyware

This is an important precursor to the later steps because, if a computer is infected with a virus or malware, there is every possibility that the Scammer will be advised of your new password each time it gets changed. Notwithstanding that anti-virus softwares will claim to be able to protect against both viruses and malware, and that anti-malware softwares will claim to be able to protect you against both malware and viruses, the fact is that the two things are different. We recommend that you maintain a paid-for subscription (not a free one) of any reputable brand of anti-virus software (Trend Micro, McAfee, Symantec, Norton, AVG, etc etc) as well as a paid-for subscription of MalwareBytes. Collectively these should cost you not more than approximately $100 each year which is not a lot of money compared to the cost of fixing your problems if you were to be compromised.

2. Check existing email forwarders

You’ll need to do this for each individual User account. Here’s how to do it.

If you find that unknown forwarders exist, you’ve already been compromised. In this case, time is of the essence to complete the rest of this process, but please make sure you are methodical in your approach.

If you have been compromised we recommend that you first extract the last 90 days worth of email transaction logs from the Office 365 server (Microsoft only keep 90 days available to you) so that you can identify which emails have been being forwarded and then get in contact with any of your affected customers/contacts. You can extract the logs from the Office 365 Admin Console.

It is very important that you do get in touch with everyone who’s emails have been forwarded because it is highly, highly likely that they will have been sent emails by the Scammer from your email account, so you need to communicate with them to ensure that both you and they are protected.

3. Ensure everyone changes their passwords fairly regularly

The starting point for this particular scam is that the Scammer knows your login credentials. They won’t change the password because they don’t want you to know that they’re in your account. Assuming that your system is clean (refer step 1), when you change your password, the Scammer will lose access to your account, so regular changes in passwords is a simple and highly effective protective measure.

4. Change your Office 365 server settings

(a) remove permissions for Standard Users to run Powershell cmdlets. By default, Office 365 allows all Users to run Powershell cmdlets and this ability is highly likely to be being exploited by this particular scam. Here’s how to do it.

(b) ensure that mailbox audit logging is enabled. This feature will be required to assist with any forensic investigation that may be required in the event that you ever are compromised. Here’s how to do it.

(c) disable ‘Allow automatic forwarding’. If, for any reason, you have users that need to have forwarders in place that automatically send copies of emails to an external email account, we recommend that you define/allow forwarding to only those external domains that are absolutely necessary and certainly only to external domains that you are also in control of. Frankly, there’s no point in “only” allowing forwarding to or or the like, because those are the freely-available email accounts that the Scammers will be using themselves.  Here’s how to do it.

5. Give serious consideration to implementing multi-factor authentication

There are various approaches to achieve this and, at present, it’s one of the few ways that you can assure your users that they are safe from compromise. It’s not a magic wand and still won’t protect them if they’re resetting passwords from an infected device (refer step 1) but it is certainly an additional level of complexity for the bad guys to need to overcome which is a good thing, because the bad guys are far more likely to target less well protected systems as they’re more likely to achieve their desired outcomes more quickly.

Parting thought ... for you to ponder

Cloud systems and certainly Office 365 are strongly marketed as having many benefits for customers. One such strongly marketed benefit is that the management of the system is done by Microsoft in the background. That is definitely the perception or understanding of most people.

The reality, however, is that these systems still require significant and ongoing involvement from IT professionals to manage and maintain the environment. They simply are not the set-and-forget system that so many people think they are which, for some, will change the level of attraction of such systems.




Remex Consulting Pty Limited
Suite 9, Level 1, 14 Narabang Way
Belrose     NSW     2085

Copyright © 1997-2023


+61 2 9454 7400