Remediate affected account and improve your security posture 365

Here is hacking case and links I sent to customer.  First link has all the steps to fix account.

 

Powershell script is below:

 

How to fix a compromised (hacked) Microsoft Office 365 account

https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/

 

Remediate affected account and improve your security posture

There are two options to be able to do this:

Option 1: Run RemediateBreachedAccount.ps1 PowerShell script against each account compromised

The ‘RemediateBreachedAccount.ps1‘ will remediate the attack to the accounts compromised and will remove any standing access to those accounts. It will perform the following actions:

  • Reset password (this secures the account and kills active sessions).
  • Remove mailbox delegates.
  • Disable mail forwarding rules to external domains.
  • Remove global mail forwarding property on mailbox.
  • Enable Multi-Factor Authentication (MFA) on the user’s account.
  • Set password complexity on the account to be high.
  • Enable mailbox auditing.
  • Produce Audit Log for the admin to review.

 

Prevention:

 

Multi-Factor Authentication for Office 365

https://blogs.office.com/2014/02/10/multi-factor-authentication-for-office-365/

 

Learn more about how to use DKIM with your custom domain in Office 365

https://technet.microsoft.com/en-US/library/ms.exch.eac.DKIMDisabled(EXCHG.150).aspx?v=15.1.771.14&l=1&s=BPOS_S_E15_0

 

Use DKIM to validate outbound email sent from your custom domain in Office 365

https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx

 

Manually hooking up DKIM signing in Office 365

https://blogs.msdn.microsoft.com/tzink/2015/10/08/manually-hooking-up-dkim-signing-in-office-365/

 

Outbound DKIM signing in Office 365

https://blogs.technet.microsoft.com/eopfieldnotes/2015/10/23/outbound-dkim-signing-in-office-365/

 

Office 365 email anti-spam protection

https://support.office.com/en-us/article/Office-365-Email-Anti-Spam-Protection-6a601501-a6a8-4559-b2e7-56b59c96a586

 

Configure the connection filter policy  (Block IP Addresses)

https://technet.microsoft.com/en-us/library/jj200718(v=exchg.150).aspx

 

Spam email and Office 365 environment – connection and content filtering in EOP (Block Countries and Regions)

https://blogs.technet.microsoft.com/exchange/2014/08/18/spam-email-and-office-365-environment-connection-and-content-filtering-in-eop/

 

Advanced Spam Filtering Options

https://technet.microsoft.com/en-us/library/jj200750(v=exchg.150).aspx

 

View e-mail message headers

https://support.office.com/en-us/article/View-e-mail-message-headers-cd039382-dc6e-4264-ac74-c048563d212c

 

Office 365 Message Header Analyzer (Analyze Email Header Information)

https://testconnectivity.microsoft.com/

 

Search the audit log in the Office 365 Security & Compliance Center

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c

 

Reports in the Office 365 Security & Compliance Center

https://support.office.com/en-us/article/Reports-in-the-Office-365-Security-Compliance-Center-7acd33ce-1ec8-49fb-b625-43bac7b58c5a

 

Create activity alerts in the Office 365 Security & Compliance Center

https://support.office.com/en-us/article/Create-activity-alerts-in-the-Office-365-Security-Compliance-Center-72bbad69-035b-4d33-b8f4-549a2743e97d

 

Special Thanks to: Bob Klinger
One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *