Office 365 – Malicious actors using your account to scam your contacts

Credit: ID 123601007 © Olena Ostapenko |

Office 365 is a name that is widely known and is the preferred email hosting platform for many organisations in Australia (unless you’re a Google fan. It is like the age-old Ford and Holden rivalry – I am in the Ford camp here.). All rivalry aside, both platforms have their ups and downs. It just comes down to which one works better for you and your business. I personally like the office 365 platform  as most SMB’s get a really good quality system at a price that is very reasonable plus it works with no real changes to how they used to use it with the old in-house servers they would have nearly all had before. It  makes sense to them which is great, but this isn’t a sales pitch for office 365, no this is to tell you how it really is and set some things straight with no stupid jargon that is just used to confuse people.

So, let’s put together a scenario here of an incident that I have seen on at least ten different occasions over the last six months. We get a call from an organisation who is hosted on office 365 with emails, software etc as is pretty normal. They have staff located across several locations or a mobile workforce and they all connect into the office 365 for emails and possibly some sort of data sharing.

They have probably been on the platform for 12 months or more and it has been working well for them. Sounds like most normal organisations on 365 or google hosting, Right? Yeah, it does. Now we received a call because one of the staff has been getting strange bounce backs in emails for emails that they have not even sent in the first place. Alarm bells are starting to ring, this sounds like an email account compromise.

First things first, reset the password immediately. Just to be on the safe side. Doesn’t matter if it turns out to be something else that is the cause, it is safer to reset it and cut access to the account if it is, in fact, a breached account. Export all the logs for review at a later point and then check the rules in office 365 web portal for that user, I bet you in most cases that you will find a rule redirecting emails with “invoice” or “payment” or “account” in the subject into deleted items, RSS feeds or a random folder created hidden down under folders you already have configured.

The malicious actor will be looking over all these emails, changing the details and then putting them back in your inbox as nothing had happened. They will change account details and invoice amounts just for starters. The malicious actors will then usually move onto sending sometimes crude and vulgar emails to all of your contacts or some sort of scam to get you to open an infected document or change account details for payments.