Microsoft 365
If a Microsoft 365 user account is compromised, it's important to take immediate action. The following steps can be taken during the containment phase:
Quick Steps
- Disable the user account(s).
- Reset the account password.
- Revoke Azure AD refresh tokens. This ensures all established sessions are required to re-authenticate with the new password. Use Microsoft 365 audit searches to determine
- what the attacker did with the access.
- Enable Multi-Factor Authentication, if not already enabled.
- Remove any ActiveSync/MDM-managed devices associated with the account.
- Remove any mailbox permissions and delegations;
- Download the Azure Sign-ins;
- Is legacy authentication enabled? If so, disable legacy authentication;
- Check for email forwarding rules.
- Revoke any OneDrive/SharePoint external shares created by the user. This is a great way for an attacker to exfiltrate data.
Check for email forwarding rules
Check for the existence of any email forwarding rules with PowerShell.
- Connect to Exchange Online.
2. Use the following script to export all existing mailbox forwarding rules. The rules are being exported to C:\temp\externalrules.csv.
try {
Write-Host "[*] Checking if there is already a connection with Exchange Online..."
$GetSessions = Get-PSSession | Select-Object -Property State, Name
$IsConnected = (@($getsessions) -like '@{State=Opened; Name=ExchangeOnlineInternalSession*').Count -gt 0
if ($IsConnected -ne "True") {
Write-Host "[*] Connect to Exchange Online..."
Connect-ExchangeOnline
} Else {
Write-Host "[+] There is already connection with Exchange Online. Script is using existing connection." -ForegroundColor Green
}
}
Catch {
$error.clear()
$ErrorMessage = $_.Exception.Message
Write-Host $ErrorMessage -ForegroundColor Red
break
}
Write-Host "[+] Successful connected to Exchange Online" -ForegroundColor Green
foreach ($mailbox in $mailboxes) {
$forwardingRules = $null
Write-Host "Checking rules for $($mailbox.displayname) - $($mailbox.primarysmtpaddress)" -foregroundColor Green
$rules = get-inboxrule -Mailbox $mailbox.primarysmtpaddress
$forwardingRules = $rules | Where-Object { $_.forwardto -or $_.forwardasattachmentto }
foreach ($rule in $forwardingRules) {
$recipients = @()
$recipients = $rule.ForwardTo | Where-Object { $_ -match "SMTP" }
$recipients += $rule.ForwardAsAttachmentTo | Where-Object { $_ -match "SMTP" }
$externalRecipients = @()
foreach ($recipient in $recipients) {
$email = ($recipient -split "SMTP:")[1].Trim("]")
$domain = ($email -split "@")[1]
if ($domains.DomainName -notcontains $domain) {
$externalRecipients += $email
}
}
if ($externalRecipients) {
$extRecString = $externalRecipients -join ", "
Write-Host "$($rule.Name) forwards to $extRecString" -ForegroundColor Yellow
$ruleHash = $null
$ruleHash = [ordered]@{
PrimarySmtpAddress = $mailbox.PrimarySmtpAddress
DisplayName = $mailbox.DisplayName
RuleId = $rule.Identity
RuleName = $rule.Name
RuleDescription = $rule.Description
ExternalRecipients = $extRecString
}
$ruleObject = New-Object PSObject -Property $ruleHash
$ruleObject | Export-Csv C:\temp\externalrules.csv -NoTypeInformation -Append
}
}
}
Run PowerShell Hawk Module
Hawk provides Limited analysis of the gathered data. This is by design! Hawk is here to help get all of the data in a single place it is not designed to make any significant conclusions about this data. This is intentional since it is impossible for the tool to know enough about your environment or what you are concerned about to make a legitimate analysis of the data.
Hawk's goal is to quickly get you the data that is needed to come to a conclusion; not to make the conclusion for you. We've structured the exported data in a manner of which can help analysts quickly triage known malicious Indicators Of Compromise (IOC) but again is NOT an all exhaustive list.