This has been quite the year of O365 intrusions. The story seems to be almost identical in each security incident we investigate this year, and it goes like this:

Employee receives a pop-up message from Microsoft advising employee that s/he must change his or her password for security purposes. Employee types his or her user name and password into the pop-up message and provides “Microsoft” with the new information.

In fact, an intruder has penetrated the employee’s email box with a phishing email that has just compromised the employee’s email box. Once the intruder is in the email box, he places forwarding rules on every email the employee receives to a gmail account, and then watches the email traffic.

Once the intruder finds an opportunity, which frequently involves an outstanding invoice to a vendor, the intruder spoofs the vendor and cuts and pastes the vendor’s signature block and demands payment for the outstanding amount due. The employee believes it is the known vendor, and corresponds with the imposter as if he is the vendor. During the email correspondences back and forth, the imposter tells the employee that they are changing their payment methods to ACH and provides the wiring instructions. The employee sends the money according to the wiring instructions and believes the outstanding debt has been paid.

Days or weeks later, the employee receives a call or email from the real vendor requesting payment. When the employee tells the vendor that payment has already been made, the vendor says that it has not been paid and the employee forwards the correspondence where payment was made. It is usually then that it is discovered that the money has been sent to a fraudulent bank account. When the employee tries to get the money back from the bank, the account has been liquidated. Unfortunately, the vendor still needs to be paid, so the company now has to pay the vendor too.

When we retain a forensic firm to review the incident and mitigate the incident, the first thing done is to implement multifactor authentication and force password resets across the organization. In most instances, the initial intrusion could have been prevented if multifactor authentication had been implemented to start.

Multifactor authentication continues to be an important part of an organization’s risk management program, including when using O365.