Weird thing on O365 account

Dashrender

One of my clients, their owner just got back from Jamaica. While she was there, she tried to send an email, and that tripped alarms in O365 - but only one alarm was ever tripped, and the alarm said it was a warning, and only after more issues would any corrective action be taken automatically.

She's back now - and now whenever she is sending out emails, the Profile Name of the account was changed to a non existant phone number +1-507-110-8801.

She also believes she hasn't received any email on that account since the day she sent an email while in Jamaica (though the deleted items folder disagrees with her).

Thoughts on this weird profile name change?

Dashrender

When I try to send to her in Outlook on the web, it shows the above, even though I've modified the user list back to her real name.

DustinB3403

She likely has a fubar'd contact in one of her devices.

scottalanmiller

Maybe her account was hacked. Send her an email and see if it goes straight to deleted.

DustinB3403

@scottalanmiller said in Weird thing on O365 account:

Maybe her account was hacked. Send her an email and see if it goes straight to deleted.

That's probable, but the number showing up in the 'to' field is from the contacts.

coliver

This was definitely hacked. It may have been a coincidence that they went to Jamaica at the same time.

You'll want to revoke any login tokens and check for any forwarding rules, reset the password, and check for inbox rules. Pitch them MFA.

scottalanmiller

@coliver said in Weird thing on O365 account:

This was definitely hacked. It may have been a coincidence that they went to Jamaica at the same time.

You'll want to revoke any login tokens and check for any forwarding rules, reset the password, and check for inbox rules. Pitch them MFA.

That's what I was thinking.

scottalanmiller

Sounds exactly like O365 accounts we've seen hacked in the past.

Dashrender

@scottalanmiller said in Weird thing on O365 account:

Maybe her account was hacked. Send her an email and see if it goes straight to deleted.

OK, that would make sense.

Dashrender

@coliver said in Weird thing on O365 account:

This was definitely hacked. It may have been a coincidence that they went to Jamaica at the same time.

You'll want to revoke any login tokens and check for any forwarding rules, reset the password, and check for inbox rules. Pitch them MFA.

Thanks!

Dashrender

Yep, hacked

IRJ

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

Dashrender

@IRJ said in Weird thing on O365 account:

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

I don't have that level of authority, I'm an IT consultant for them, nothing more.

I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.

IRJ

@Dashrender said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

I don't have that level of authority, I'm an IT consultant for them, nothing more.

I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.

Second hack? Then you didn't do your job the first time.

There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.

It's not a conversation, it's you do this or a drop you as a client

Dashrender

@IRJ said in Weird thing on O365 account:

@Dashrender said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

I don't have that level of authority, I'm an IT consultant for them, nothing more.

I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.

Second hack? Then you didn't do your job the first time.

There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.

It's not a conversation, it's you do this or a drop you as a client

Huh - that's the first time I've ever heard that... Thanks, the ammo is worth while.. I'll let you ya'll know what they say tomorrow.

dbeato

Just in case you need this
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide

popester

@coliver said in Weird thing on O365 account:

This was definitely hacked. It may have been a coincidence that they went to Jamaica at the same time.

You'll want to revoke any login tokens and check for any forwarding rules, reset the password, and check for inbox rules. Pitch them MFA.

What he said. Been there done that several times. Even had someone reply to an email from the compromised account asking "Is this really you?"........ The response was of course "Yes it is me"........ Whoops there goes another account.

scottalanmiller

@IRJ said in Weird thing on O365 account:

Second hack? Then you didn't do your job the first time.

Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.

scottalanmiller

@Dashrender said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

@Dashrender said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

@coliver said in Weird thing on O365 account:

Pitch them MFA.

Nah. Just set it up, and say its security in place so you wont get hacked again.

No pitch needed, just do it.

I don't have that level of authority, I'm an IT consultant for them, nothing more.

I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.

Second hack? Then you didn't do your job the first time.

There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.

It's not a conversation, it's you do this or a drop you as a client

Huh - that's the first time I've ever heard that... Thanks, the ammo is worth while.. I'll let you ya'll know what they say tomorrow.

How do we know that their account has a poor reputation? You can look that up. We've had accounts disabled for poor reputation and never tied to being hacked, always tied to bad employees (yes we fired people.) It's unlikely that they have a bad reputation unless MS told you so.

DustinB3403

@scottalanmiller said in Weird thing on O365 account:

@IRJ said in Weird thing on O365 account:

Second hack? Then you didn't do your job the first time.

Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.

What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.