This has been quite the year of O365 intrusions. The story seems to be almost identical in each security incident we investigate this year, and it goes like this:

Employee receives a pop-up message from Microsoft advising employee that s/he must change his or her password for security purposes. Employee types his or her user name and password into the pop-up message and provides “Microsoft” with the new information.

In fact, an intruder has penetrated the employee’s email box with a phishing email that has just compromised the employee’s email box. Once the intruder is in the email box, he places forwarding rules on every email the employee receives to a gmail account, and then watches the email traffic.

Once the intruder finds an opportunity, which frequently involves an outstanding invoice to a vendor, the intruder spoofs the vendor and cuts and pastes the vendor’s signature block and demands payment for the outstanding amount due. The employee believes it is the known vendor, and corresponds with the imposter as if he is the vendor. During the email correspondences back and forth, the imposter tells the employee that they are changing their payment methods to ACH and provides the wiring instructions. The employee sends the money according to the wiring instructions and believes the outstanding debt has been paid.

Days or weeks later, the employee receives a call or email from the real vendor requesting payment. When the employee tells the vendor that payment has already been made, the vendor says that it has not been paid and the employee forwards the correspondence where payment was made. It is usually then that it is discovered that the money has been sent to a fraudulent bank account. When the employee tries to get the money back from the bank, the account has been liquidated. Unfortunately, the vendor still needs to be paid, so the company now has to pay the vendor too.

When we retain a forensic firm to review the incident and mitigate the incident, the first thing done is to implement multifactor authentication and force password resets across the organization. In most instances, the initial intrusion could have been prevented if multifactor authentication had been implemented to start.

Multifactor authentication continues to be an important part of an organization’s risk management program, including when using O365.

View Original Source
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, and complex litigation. She is a member of the Business Litigation Group and chair’s the firm’s Data Privacy and Security Team. She currently serves as general counsel to the Rhode Island Quality Institute. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations, as well as emergency data breach response and mitigation. She counsels clients on state and federal data privacy and security investigations and data breaches. Prior to joining the firm, Linn was a partner at Nixon Peabody, where she served as leader of the firm’s Privacy & Data Protection Group. She also served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.