Last Friday, 7 of our employees' office365 email accounts were hacked simultaneously. We saw successful logins from random US addresses. The virus went through emails and basically does a reply-all with a virus called request.zip
.
They all have eset running and a scan shows to be clean. They do not use the same password for other things and there's no shared software they all use as there's always one person that eliminates that possibility that that's how they got hacked.
What I find most interesting, is that out of those 7 people, one is a person who hasn't worked in the company for years. His account is managed by another one of the victims. This almost certainly tells me it's malware.
Of course, because of this we enabled 2FA for everyone and made them change their passwords but everyone is super worried about not knowing how that happened and the very likely possibility that those people are still vulnerable (We started reinstalling the OS with clean installation just to be safe but for now, we still have some not reformatted for tests). To get things worse, lots of our customers downloaded the malware that the breached accounts sent but that's a different issue.
Does anyone know how that might've happened? Did anyone experience anything similar? Is there anything I should look for?