{"id":392,"date":"2019-10-10T13:57:22","date_gmt":"2019-10-10T13:57:22","guid":{"rendered":"http:\/\/www.torontohelpdesk.ca\/blog\/?p=392"},"modified":"2019-11-06T15:50:49","modified_gmt":"2019-11-06T15:50:49","slug":"office-365-tenancy-hacked","status":"publish","type":"post","link":"https:\/\/www.torontohelpdesk.ca\/blog\/office-365-tenancy-hacked\/","title":{"rendered":"Office 365 Tenancy Hacked"},"content":{"rendered":"\n

Problem:<\/strong><\/p>\n\n\n\n

You find that your Office 365 tenancy is hacked.<\/p>\n\n\n\n

Solution:<\/strong><\/p>\n\n\n\n

(h\/t AC)<\/em><\/p>\n\n\n\n

  1. We changed the password.<\/li>
  2. Checked for the Outbound connector from EAC ( Exchange Admin Center )–> Mail Flow–> Connector.<\/li>
  3. Check for the Inbox rules and we found the suspicious inbox rules.<\/li>
  4. We disable the MAPI and Active sync protocol before deleting the Inbox rules ( Active sync will take precedence if not disabled and the rules will reflect again after deleting ).<\/li>
  5. Then we deleted the Inbox rules .<\/li>
  6. We check for the email forwarding if any applied on the impacted email address.<\/li>
  7. We check the Message trace so that we can find weather the bulk email was send from the impacted user Mailbox.<\/li>
  8. We ran the command Get-inboxrule -Mailbox abc@domain.com<\/a> to check the inbox rules with out login to the user from OWA ( Outlook Web Application )<\/li>
  9. We enable MFA for Admin Login.<\/li>
  10. We downloaded the Poweshell from EAC –> Hybrid –> click on second Configure to download the PowerShell for MFA. With this you can check RULEs user by user by this command
    1. Get-InboxRule -Mailbox abc@domain.com<\/a> <\/li>
    2. If it came empty \u2013 no any rules are set <\/li><\/ol><\/li>
    3. Sign into the Office 365 Security and Compliance Center and in the list on the left, expand\u00a0Threat Management<\/strong>, choose\u00a0Review<\/strong>, and then choose\u00a0Restricted Users<\/strong>.<\/li><\/ol>\n\n\n\n

      <\/p>\n\n\n\n

      <\/p>\n\n\n\n

      <\/p>\n","protected":false},"excerpt":{"rendered":"

      Problem: You find that your Office 365 tenancy is hacked. Solution: (h\/t AC) We changed the password. Checked for the Outbound connector from EAC ( Exchange Admin Center )–> Mail Flow–> Connector. Check for the Inbox rules and we found Continue reading Office 365 Tenancy Hacked<\/span>→<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-392","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/posts\/392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":2,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"predecessor-version":[{"id":399,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/posts\/392\/revisions\/399"}],"wp:attachment":[{"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.torontohelpdesk.ca\/blog\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}