1

Last Friday, 7 of our employees' office365 email accounts were hacked simultaneously. We saw successful logins from random US addresses. The virus went through emails and basically does a reply-all with a virus called request.zip.

They all have eset running and a scan shows to be clean. They do not use the same password for other things and there's no shared software they all use as there's always one person that eliminates that possibility that that's how they got hacked.

What I find most interesting, is that out of those 7 people, one is a person who hasn't worked in the company for years. His account is managed by another one of the victims. This almost certainly tells me it's malware.

Of course, because of this we enabled 2FA for everyone and made them change their passwords but everyone is super worried about not knowing how that happened and the very likely possibility that those people are still vulnerable (We started reinstalling the OS with clean installation just to be safe but for now, we still have some not reformatted for tests). To get things worse, lots of our customers downloaded the malware that the breached accounts sent but that's a different issue.

Does anyone know how that might've happened? Did anyone experience anything similar? Is there anything I should look for?

Don Draper
  • 11
  • 1
  • 2
    This is saying, "I see that someone broke into the safe in my house. How did they break into the house?" You are describing the *effect*, not the details of the *cause*. There is not enough info here, and you really need to engage a professional to work through the investigation. – schroeder Oct 21 '20 at 10:10
  • Honestly I do find the question and answer proper, you don't know -> contact professional. It's not lik even if he post his whole network configuration we could answer in 30k character what is wrong or that we will do the work of the profesional to find the cause. – Walfrat Oct 21 '20 at 11:42
  • @Walfrat The problem is that the answer below is not really an answer. It's the correct advice, but then we would provide the same advice to the same range of questions. Just like we do for machine infections (nuke from orbit). The questions *asked* can only be answered by opinion because there is insufficient detail. And this is not the right format to provide the required details. So, the *question* is opinion-based. The answer is to avoid the question entirely and provide a separate course of action. – schroeder Oct 21 '20 at 13:44
  • @schroeder yaay for alternative awnsereing methodologies.... – LvB Oct 21 '20 at 19:42

1 Answers1

5

All the answers we could get would end up being guesswork of what could have been, since we don't have access to any of the server logs. This is not helpful to anyone.

What you should be doing now is to contact a company doing incident response and forensics and have them figure out how it happened. In other words: It's time to call a professional.

Sure, it will be expensive, but most likely less expensive than yet another breach.

Full Disclosure: I work for a company which offers incident response and forensics. I offer you to contact professionals because it's good advice, not because I have any personal gain from it.

  • 1
    as someone NOT working for the company @MechMK1 works for (or for him in in any other manner). I completely agree `Don Draper` should contact a professional. there is just to much that could be going on and knowing what happened is the only way to prevent it from happening again. – LvB Oct 21 '20 at 10:38