…across Internet cables.
So recently I got to see first-hand a spam-bot in action.
Received an escalation advising an account was compromised and sending spam, but it was different to what I expected.
Hook, Line and Sinker
As usual by the time you realise what has happened it is too late, and there’s a few ways to discover this but the common methods are:
- The deluge of Non-Deliverable Reports – the user receives so many of these they think that they are getting spammed.
- A recipient of one of the sent emails advises an Administrator or Support Team.
Example 1
In the first example, built in security mechanism will detect a suspicious or large volume amount of outbound email traffic, and then blocks the user from sending external email.
This also sends notifications to the admins alerting them of the compromised account.
Following this the priority is to reset the password to address the account breach and stop any further outbound spam if the account is not already blocked.
After sanitising the workstation, you can unblock the account in the Action Center of either Exchange Online Protection (Protection heading under Exchange Admin Center) or the newer Restricted Users section in the Security & Compliance Center (SCC) accessed from https://protection.office.com/#/restrictedusers
Example 2
The second situation is a bit more interesting, and/or alarming. Instead of the usual mass mail-out approach, a spam bot takes over and trickles the outbound mail out over time. The email that gets sent out will appear to be an invitation to a shared PDF file stored in one of many Cloud Storage services – see this blog from Microsoft for more information.
So here is where it starts to differ largely, recipients of this invitation will attempt to access the shared file and enter their email credentials – which often leads to them replying saying nothing happens when they do it.
Or they identify that this is a risk and reply to the sender to advise that their account has been compromised.
Upon closer inspection, it would appear the spam-bot actually deletes all sent items as part of the mail-out and actually replies to the replying recipients advising that the shared file is legitimate and to not be concerned.
The worst part of this is that as the replies go on, even the spam-bot manages to convince some recipients to enter their credentials in the fake website.
Due to the trickling method, Exchange Online does not flag the activity as Outbound spam so the user does not get blocked by Alert policies and the sending can carry out for quite some time.
However once the threat is identified, like the above process, the password must be changed immediately to halt the spam. In our encounter, the list of recipients in the deleted items folder included some of our other clients so they too were contacted immediately, and the remaining list of recipients was fed back to the client to follow up on.
Prevention
So both these scenarios can easily be prevented by one simple action – Enabling Multi-Factor Authentication (MFA), in fact up to 99.9% of attacks according to this information from Microsoft:
Using MFA essentially prevents the attackers from signing in, even if they have your credentials.
This can be further strengthened with Conditional Access policies that can limit authentication on specific networks or in defined locations, provided the adequate licensing is assigned.
Advanced Threat Protection can also be considered to prevent the initial emails that start the chain of events from being delivered to the recipient – or block the URLs and Attachments from messages that get past Spam Confidence checks.
Reflection
Please, please, please – enable MFA as soon as possible!
Even if it takes a once off ~5 minutes to configure an Authenticator App and one tap per authentication, it’s going to cost a whole lot of time and money if you do not and then get breached.
It is never an inconvenience to be secure.
In other news:
Happy 5th Anniversary to the Windows 10 Insider Program!
M365 Senpai 
One thought on “Plenty of Phish in the sea…”