It all started far too early this morning. Before taking a sip of my first espresso, I glanced at my company mobile to make sure there were no alerts about things having broken overnight. And ooooh. Two emails at 3:30am apparently from a user inviting me to review the attached PDF. Well, I wouldn't normally expect to receive attachments from this user, and especially not at 3:30am.
When I noticed that the footer included the reassuring message
Message scanned by Norton Anti-virus and it’s 100% safe
My internal pre-espresso alarm bells became very loud. Not least because we don't use Norton
Logged into the Mimecast Admin console and had a look. Oooooooooooooh joy. Multiple messages sent to numerous internal and external addresses. Digging into the headers showed that they appeared to have been sent using the Office 365 portal (which explains how they came complete with an authentic-looking company signature). They also showed that the originating IP address wasn't, as I'd have expected from the user in question, to be somewhere in northern England, but from Nigeria, where we don't have any staff.
I blasted out a message to all staff telling them not to open the message. Only three admitted to opening it on their mobiles (and one of those admitted to thinking it was a bit odd...). Ho hum.
Got to the office, instructed user to change password and started digging. Extracted all the addresses the message was sent to and manipulated that into a list which has been used to apologise.
But one mystery remained: even after resetting his password, restarting Outlook, uttering the traditional curses against Microsoft and standing on one leg, the user was still not receiving any email. Very strange...
Checked in Mimecast - messages were there. Checked on the Office 365 Portal - no messages, which eliminated Outlook (aka The Usual Suspect). Scratched head, opened tickets with Mimecast and Microsoft in case one or other had locked him out for being a spammer. Scratched head some more, then went to make a cup of tea (the coffee here isn't up to the standard of my home espresso). And while the kettle was boiling, I had a thought.
Connected to user's mailbox in Office 365. Looked in Rules. Yup. The, err, visitors had helpfully created a "mark all mail as read and delete" rule. Now this is presumably so the victim doesn't see the NDRs and complaints generated by their messages, but does have the drawback that the user might actually notice not getting any email at all.
So, what we think happened was that the user's password was compromised (lifted from somewhere else, similar passwords used for multiple accounts, some other means), attackers used the credentials to blast out numerous messages, set a rule to delete the evidence, then moved on to the next victim.
Lessons that can be learned: remind everyone about why passwords really are important, and why you really need different ones for each service. Oh, and look for rules. Rules are important.