This article described a real-world security issue which affected the customer Fisher International in mid-2018. The steps described can not necessarily prevent the attack, but will help forensic investigators to uncover evidence after such an attack takes place. Therefore, they are a useful and potentially necessary step for any client who may be at risk.

What Happened?

C-level manager of client company traveled abroad to South America. At this time it is unclear if the customer's computer or cell phone may have been used on a public/insecure wi-fi or other network. This appears to have allowed the attackers to get access to the customer's Outlook settings in Office 365. (There are other ways to do this, but this is the most likely explanation we have come up with so far.)
The attacker did a few things to prepare their spear fishing strategy:

  1. They observed sufficient email to identify a business relationship between the user and a lawyer.
  2. They created a rule in Outlook on the server-side that moved e-mails from the user's lawyer to a sub-folder.
  3. The registered a domain name very similar to the lawyer's email address, with 'i' and 'e' transposed in the name.
  4. They initiated email communication with the user from the fake domain, requesting payment for work performed and following up with instructions for a wire transfer.

What's the Problem?

Aside from the obvious issue that the user was conned into sending money to a stranger, the issue here is that the default Mailbox Audit settings in Office 365 did not capture sufficient information for us to provide much assistance from for the forensic investigators. In fact, the attack seems to have been designed to exploit this weakness.

How To Prevent Such Attacks

While there's no way to prevent a clever hacker or con artist from getting the better of you, there are a few things that could've been done differently that likely would have prevented such an attack from working:
  1. Establish banking details ahead of time with vendors using a secure system, such as Intuit Payments. Keep EFT/ACH/Wire details in that system, then be firm and do not deviate from your established business processes for vendor payments.
  2. If someone contacts you asking for money, whether over e-mail or by calling you, break the communication chain, then call them back by phone. Use a known-to-be-good phone number that you recognize, since an attacker may have altered your contacts to change the email address you use to reach them. Keep in mind an attacker may also have changed your contact's phone numbers too, plus phone numbers in familiar area codes are easy to come by thanks to Internet based VOIP services. You may want to look up their main company phone by Google and then dial into that and ask for their extension.
  3. If you know someone well, you can establish familiarity with mutually shared information that would be hard for others to know or pre-establish a pre-shared 'secret' pass-phrase for verifying their identity. Better yet, tell them that they'll just have to wait for the money until you get back to the office.
  4. Avoid using public/unsecured wi-fi whenever you can. Assume that even secure wi-fi that you do not control may have outdated firmware that has been compromised to allow snooping.
  5. When traveling, always use a VPN service that will encrypt your computer's Internet access.
  6. Avoid using wi-fi on your smart phone when traveling; this will not protect you 100% from things like rogue cell towers, but it will reduce the chances of being compromised.

How To Ensure All Available Information Is Collected

The problem with auditing in Office 365 is really a reaction for when the attack succeeds and not something that can help prevent it. Some of the audit settings might be able to you off to an impending attack, but chances are tht nobody will be watching these settings for red-flags during the 15 minutes or so that it'll take the attacker to set everything up. They're more useful to investigators who are trying to track down who stole your money.

Unfortunately, if the current Office 365 defaults were in place when you were hacked, there's nothing we can really do. There will be no data to report to the authorities, and they'll have to follow the money trail instead.

Microsoft recently announced a change in the default mailbox audit settings that will help going forward. This is expected to roll out in 3 and 4Q of 2018. As of November, our commercial customers have not seen this change take place. More info here:

Our recommended defaults are a bit more than what's described there. Here is our PowerShell script we can use to establish the higher level of auditing for all users in Exchange Online:
## SetMailboxAuditPolicy.ps1

# This requires Office365Functions.ps1 or otherwise connect it yourself
Connect-MsolServiceMulti -Services Exchange

$selfAudit = "HardDelete","UpdateCalendarDelegation" # not needed because on by default ,"UpdateFolderPermissions","UpdateInboxRules"
$otherAudit = "MailboxLogin","HardDelete","SoftDelete","Move","UpdateCalendarDelegation" # not needed because on by default ,"UpdateFolderPermissions","UpdateInboxRules"
$boxes = Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} <# or "Alias" %>
$boxes | Set-Mailbox -AuditEnabled $true -AuditOwner @{ Add=$selfAudit }
$boxes | Set-Mailbox $true -AuditDelegate @{ Add=$otherAudit }
$boxes | Set-Mailbox $true -AuditAdmin @{ Add=$otherAudit }

Please see:
regarding important upcoming changes to default settings


#do just the defaults, specific user
Set-Mailbox -Identity "Alias" -AuditEnabled $true

#do just the defaults, all users
Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true
# TODO do this for Shared Mailboxes
# note it is not possible to do this for Office 365 Group Mailbox

Audit Setting              Default Policy
MailboxLogin               on only for owners, not admins
HardDelete                 on for non-owners only
Move                       off for all
UpdateCalendarDelegation   on for admin and owner, off for delegate
UpdateFolderPermissions    on for all
UpdateInboxRules           on for all