The entry vector
Hackers got access to your Microsoft 365 environment? You are asking yourself how the hackers got access and how to prevent this in future?
The impact
Next you are wondering what the impact of the attack is: Was any data stolen or further accounts compromised?
The clean up
Our experts conduct a comprehensive analysis of the incident to provide you with actionable advice on how to remediate the incident and eleminate hacker access.
Experienced a breach?
Please reach out to our Incident Response hotline at
or submit a request for immediate assistance:
The challange: Microsoft 365 identity theft
Cloud identity compromise poses a high risk to enterprise IT. Attackers can exploit various techniques to access user identities without malware or server compromise. Inadequate security configurations and monitoring can make user compromise as simple as extracting reused passwords from publicly available breach data.
Moreover, attackers are increasingly sophisticated, overcoming commonly used Multi-Factor Authentication (MFA) measures like Push notifications (Microsoft Authenticator) or Time-Based One-Time Passwords (TOTP). These factors are phished by the attackers using Adversary-in-the-Middle schemes.
Our experts have mastered hundreds of incident response engagements over the last 10 years, from medium-sized businesses to large corporations (DAX40) and have built up a wealth of experience.
The solution: Rapid response to cloud breaches
In the face of a cloud breach, swift and effective action is key. Our priority is to contain the incident and minimize its impact on your operations. We meticulously comb through various logs in Azure, Entra, M365, O365 and Exchange online to pinpoint any malicious activity and grasp the full scope of the attack. Here's how we do it:
Containment
Our containment efforts focus on halting the attackers progress and preventing further damage, ensuring their impact is minimized. We review prior containment measures and enact additional steps if necessary. Whether it's resetting passwords in EntraID, terminating active sessions, eliminating persistence techniques like email forwarding or alternative MFA methods, our goal remains steadfast: Prevention of further damage.
Evidence Acquisition and Analysis
We acquire, correlate and analyze your cloud logs, like O365 activity logs. Suspicious activity on unmanaged devices, anomalous geolocations, or other unusual behavior in the cloud environment – no stone is left unturned. With these attack insights, we implement further containment measures and preempt future risks.
Root Cause Analysis
We conduct thorough assessments to unveil the root cause of the compromise. Phishing attacks often serve as the entry vector for such breaches, prompting us to analyze message traces and audit logs. Our approach extends beyond the obvious, leveraging OSINT techniques and client triage packages. Through this multi-faceted approach, we not only uncover the root cause but also pave the way for effective mitigation strategies.
The approach
It's evident that facing a cyberattack on your organization isn't a matter of "if" but "when." Attaining cybersecurity readiness demands a fresh approach to detection and response, emphasizing proactive hunting for signs of current or previous compromise.
Reporting the M365 incident
No matter if you are dealing with an M365 incident, an O365 compromise, an Entra incident or a compromised Exchange online Mailbox, your first step is always to alert the HvS IR team via our emergency hotline +49 89 890 63 62 61 or submit a request here.
Our experts will receive your request and take care of all the following steps to guide you through the complete incident response process as fast as possible.
First Response Call
In a first response call we will establish a report about the current situation and collect all the facts necessary to take follow-up actions with the goal of rapidly containing and remediating the incident.
The first response call, including the situation report and the decisions will be documented by HvS to enable you to focus at the topics and decision at hand.
Containment
To minimize further impact, like data loss or reputational damage, a quick containment is key. Our experience incident responders will guide you through all the necessary containment measures.
With prepared checklist and thorughly tested containment measures, the containment will be implemented in a fast and reliable fashion.
Forensic Analysis
Next is the assessment of the attack by forensisc analysis. By acquiring evidences like various types of cloud logs, our forensic experts will assess the entry vector as well as the activities of the attackers.
The gathered intelligence will help us to remediate the incident in the next step and to prevent incidents like this in the future.
Remediation and Lessons learned
Based on the forensic results we will decided on necessary remediation measures.
In order to learn from the incident, you will be provided with a thorough report, including a management summary, a detailed timeline, as well as recommendations to prevent incidents like this in the future.
Get immediate assistance
In an emergency, please contact our Incident Response hotline at
or use the contact form below:
Request assistance
Your questions answered
After initial detection of the incident, speed is of utmost importance to prevent further damage and impact on your organization, like data loss or reputational damage. In past incidents we have seen exfiltration of emails and SharePoint data, further internal phishing or even frauds in the six figures with only one compromised cloud identity.
Without rapid and adequate containment measures, a small incident quickly develops to a high-impact incident. Hence contact our IR experts as soon as possible after the initial detection via our emergency hotline +49 89 890 63 62 61 or submit a request here.
Microsoft Cloud incident are usually detection with alerts from Microsoft Defender suite, foremost Microsoft's Identity protection. Typical alerts you might see are:
- Atypical travel
- Anomalous Token
- Suspicious browser
- Unfamiliar sign-in properties
- Malicious IP address
- Suspicious inbox manipulation rules
- Password spray
- Impossible travel
- New country
- Activity from anonymous IP address
- suspicious inbox forwarding
- Mass Access to Sensitive Files
- Verified threat actor IP
- Additional risk detected
- Anonymous IP address
- Admin confirmed user compromised
- Microsoft Entra threat intelligence
- Possible attempt to access Primary
- Refresh Token (PRT)
- Anomalous user activity
- User reported suspicious activity
- Suspicious API Traffic
- Suspicious sending patterns
- Leaked credentials
- Microsoft Entra threat intelligence
- Token issuer anomaly
- Unusual volume of external file sharing
- Messages have been delayed
When seeing some of these alerts in your environment you should take them seriously and take immediate response actions.
Over the last years many organizations have identified multifactor authentication (MFA) as a very important security measure to protect user accounts.
In the past any MFA method was sufficient to protect an enterprise from most phishing threats. With MFA becoming more and more widespread adversaries have adapted their phishing attacks accordingly.
Today it is common for attackers to use Adversary-in-the-Mittle (AitM), also known as Man-in-the-Middle (MitM) phishing websites that can circumvent the protection by non-phishing-resistant MFA methods like SMS tokens, TOTPs or mobile app push notifications.
During both phishing attacks the user is first lead to a phishing website and deceived to enter their credentials. During common phishing, the attackers simply save the users credentials for later use. AitM- the more sophisticated variant – uses a malicious proxy server that hosts the phishing page.
This proxy is used to dynamically forward the login information of the user towards Microsoft in real-time to trigger an authentication process and the corresponding MFA mechanisms.
Depending on the MFA method of the user the phishing page then displays whatever prompt, form or information the real Microsoft page would display to the user. This way the user can complete the MFA process on the phishing page which is then again forwarded to Microsoft by the attacker.
The resulting multifactor authenticated session token is kept by the attacker and not forwarded to the user.
Since most cloud incident still start with an initial phishing mail, the best way to prevent such incidents if the implementation of multi-factor authentication, included phishing-resistant factors, in combination with a comprehensive awareness campaign.
More Incident Response topics
Successfully build & optimize your Cyber Defense Center! We work with you to develop a customized CDC strategy, improve detection & response and set clear priorities for greater security.
Find hacker activity before it's too late - with proactive threat hunting and compromise assessments.