BluePackets

How are we so good at picking up compromised 365 accounts for our clients? We have a range of health and security checks that we run on a regular basis.

As an example: We check for Multi-Factor-Authentication (MFA) failures from foreign locations. Why? Often account compromises come from foreign locations. When attackers first try, they will likely fail if MFA is setup. At this stage it means they have your username and password. Without the monitoring in place, our clients would be none the wiser. Attackers can then sit in the background and try regular logins - waiting for an opportunity like a MFA reset (such as when you get a new phone).

By helping our clients get ahead of the curve, we can minimse the risk of an intrusion proceeding.

We are an Australian owned and operated business. Helping other like-minded Australian organisations improve their cyber security posture.
Reach out to us if you organisation needs help getting on the front foot when it comes to cyber security.

fb.me

It feels like every day there is announcement about yet another company that has had their IT systems compromised. It makes big news because these organisations often hold personal and private information on a large number of their clients.

How does this relate to the business world and your 365 environment? Unfortunately it is very common for large IT software and service providers to also be compromised. When this happens, there is a chance that your end-users might be caught up in the breach. What kind of information is released in a breach? Often key items like usernames, email addresses, and sometimes passwords. Where do these details often end up? Being traded on the so-called "Dark-Web".

Despite the best education of end-users, people will often use the same password across multiple accounts. What happens when one of these accounts is compromised above? It can often mean that the attackers effectively have the username and password for many different services (potentially including accounts in your 365 environment!).

There is a chance that usernames and passwords for some of your accounts in your 365 environment may be listed on the dark-web.

How do we help our clients? We have a system that can cross-check email addresses from their organisation against known dark-web lists. This can serve as notice that they have been involved in a data-breach, and also a chance/reminder to change their passwords.

We are an Australian owned and operated business. Helping other like-minded Australian organisations improve their cyber security posture.

Reach out to us if you organisation needs help getting on the front foot when it comes to cyber security.

Your 365 inbox. If I asked you to think about what was in your email inbox right now, you could probably give me a pretty good list. What you probably won't think about is what else that email account has access to - ie if you had to 'reset a password via email', what could you reset with your work email account? This could potentially be social media accounts, suppliers systems, invoicing systems, payroll, (and the list goes on!).

The email inboxes of your organisation might hold both sensitive data, and also give access to external systems. Once the combined value of this is realised, the need to secure it becomes even more clear, "I have Multi-Factor-Authentication setup" (MFA), will that be enough? MFA is great help, however there might be something else lurking underneath.

The other item to be concerned about are what are known as "Email Rules". These typically aren't visible and allow you to automatically file and arrange incoming emails based on rules. We have seen numerous instances where these email rules have been used maliciously by an attacker to forward incoming email to an external email address that the attacker controls.

What does this mean? Potentially that all your incoming email could be forwarded to a hostile email address, allowing an attacker to read all new email and also potentially utilise this to reset access to third-party systems. Once in place this type of rule will survive password resets, and MFA.

How do we deal with this? We have a system that can report on existing rules that contain a forwarder rule. This same solution can also alert for new rules that have been added. How does this help? This greatly reduces the time to discovery. Addressing the situation earlier allows for a significant reduction in risk.

Interested in further information? We can assist, please make contact with our friendly team.

fb.me