Weird thing on O365 account
-
@Dashrender said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
@Dashrender said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
@coliver said in Weird thing on O365 account:
Pitch them MFA.
Nah. Just set it up, and say its security in place so you wont get hacked again.
No pitch needed, just do it.
I don't have that level of authority, I'm an IT consultant for them, nothing more.
I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.
Second hack? Then you didn't do your job the first time.
There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.
It's not a conversation, it's you do this or a drop you as a client
Huh - that's the first time I've ever heard that... Thanks, the ammo is worth while.. I'll let you ya'll know what they say tomorrow.
How do we know that their account has a poor reputation? You can look that up. We've had accounts disabled for poor reputation and never tied to being hacked, always tied to bad employees (yes we fired people.) It's unlikely that they have a bad reputation unless MS told you so.
-
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.
-
@Dashrender Anybody notify Accounting of these fraudent emails being forwarded to them?
-
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
I mean his job is a consultant for IT. MFA isnt really even security at this point, it's common sense. Unsurprisingly without MFA, they were hacked again.
-
@DustinB3403 said in Weird thing on O365 account:
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.
Sounds like an IT problem to me. They shouldnt need to pay for a security expert to pitch MFA.
-
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
Exactly, as I said, I'm just a consultant. I'm not Outsourced IT like Scott sometimes is.
-
@scottalanmiller said in Weird thing on O365 account:
@Dashrender said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
@Dashrender said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
@coliver said in Weird thing on O365 account:
Pitch them MFA.
Nah. Just set it up, and say its security in place so you wont get hacked again.
No pitch needed, just do it.
I don't have that level of authority, I'm an IT consultant for them, nothing more.
I have a meeting with them tonight (the whole company actually - some training stuff), but in light of this SECOND hack - I'm seriously thinking I ditch all of my current conversation and talk about password managers and 2FA only.
Second hack? Then you didn't do your job the first time.
There is really no discussion. Its a must have and they could lose their Office 365 account otherwise. Their account already has a poor reputation with Microsoft.
It's not a conversation, it's you do this or a drop you as a client
Huh - that's the first time I've ever heard that... Thanks, the ammo is worth while.. I'll let you ya'll know what they say tomorrow.
How do we know that their account has a poor reputation? You can look that up. We've had accounts disabled for poor reputation and never tied to being hacked, always tied to bad employees (yes we fired people.) It's unlikely that they have a bad reputation unless MS told you so.
I've never even heard of this bad reputation thing before, so it's good just to know it exists.
-
@Danp said in Weird thing on O365 account:
@Dashrender Anybody notify Accounting of these fraudent emails being forwarded to them?
Actually - the two accounts being forwarded are legit. Only the the send to trash is bad/fake.
-
@DustinB3403 said in Weird thing on O365 account:
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.
Scott is not wrong - sure that's a huge part of IT's job, but if those who control the purse strings and tell you what you can and cannot enable, that's beyond IT's control.
This particular client has way less than desirable security habits, they have already made several requests that fly in the face of general security, let alone healthcare based security.
All that said - with this fresh in their minds, I will be broaching the topic specifically about 2FA tonight.
-
@IRJ said in Weird thing on O365 account:
@DustinB3403 said in Weird thing on O365 account:
@scottalanmiller said in Weird thing on O365 account:
@IRJ said in Weird thing on O365 account:
Second hack? Then you didn't do your job the first time.
Security is THEIR job, not his. They are the CIO, not him. You can't blame people down the chain for the decision makers making bad decisions.
What world are you living in? This is how 99.99999% of IT lives, getting blamed for other peoples bad decision making.
Sounds like an IT problem to me. They shouldnt need to pay for a security expert to pitch MFA.
That's not the issue. The issue is someone in charge of IT that doesn't listen / care.
-
@Dashrender said in Weird thing on O365 account:
Scott is not wrong - sure that's a huge part of IT's job, but if those who control the purse strings and tell you what you can and cannot enable, that's beyond IT's control.
And at the end of the day, the best sales person in the world can't 100% of the time convince an owner what to do.
-
Nor is it their job. The decision maker is the final IT head, and if IT says not to do something, random "lower" IT people are not responsible.
-
Looks like I still have a problem.
There were two new inbox rules setup from the office IP
cato\1420818006635708417 {"OrganizationName":"my*****.onmicrosoft.com","Parameters":[{"Name":"AlwaysDeleteOutlookRulesBlob","Value":"False"},{"Name":"Force","Value":"False"},{"Name":"Identity","Value":"For all messages from [email protected]"},{"Name":"ForwardTo","Value":"accounting@my*****.com"},{"Name":"From","Value":"[email protected]"},{"Name":"RedirectTo","Value":""},{"Name":"Name","Value":"For all messages from [email protected]"},{"Name":"StopProcessingRules","Value":"True"}],"ResultStatus":"True","ObjectId":"cato\\1420818006635708417","UserKey":"\"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/Rebecca\" on behalf of \"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/cato\"","ExternalAccess":false,"Operation":"Set-InboxRule","OrganizationId":"f4a6ce9d-42d8-4750-ab0d-240837f91b40","ClientIP":"68.226.77.42:23038","Rules":[{"CorrelationId":"d59a8fd4-1272-41ee-9408-86f7bcf72479","CorrelationFlags":"2097152","LogicalOperation":"MailRedirect"}],"Workload":"Exchange","RecordType":1,"OriginatingServer":"CH2PR13MB3766 (15.20.2772.006)","UserId":"\"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/Rebecca\" on behalf of \"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/cato\"","CreationTime":"2020-02-25T21:03:01","Id":"75f85cde-3281-41c4-2ddd-08d7ba361974","UserType":2} cato\For all messages from [email protected] {"OrganizationName":"my*****.onmicrosoft.com","Parameters":[{"Name":"AlwaysDeleteOutlookRulesBlob","Value":"False"},{"Name":"Force","Value":"False"},{"Name":"ForwardTo","Value":"pharmacy@my*****.com"},{"Name":"From","Value":"[email protected]"},{"Name":"Name","Value":"For all messages from [email protected]"},{"Name":"StopProcessingRules","Value":"True"}],"ResultStatus":"True","ObjectId":"cato\\For all messages from [email protected]","UserKey":"\"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/Rebecca\" on behalf of \"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/cato\"","ExternalAccess":false,"Operation":"New-InboxRule","OrganizationId":"f4a6ce9d-42d8-4750-ab0d-240837f91b40","ClientIP":"68.226.77.42:17455","Rules":[{"CorrelationId":"d59a8fd4-1272-41ee-9408-86f7bcf72479","CorrelationFlags":"2097152","LogicalOperation":"MailRedirect"}],"Workload":"Exchange","RecordType":1,"OriginatingServer":"CH2PR13MB3766 (15.20.2772.006)","UserId":"\"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/Rebecca\" on behalf of \"NAMPR13A006.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/my*****.onmicrosoft.com/cato\"","CreationTime":"2020-02-25T21:22:39","Id":"14154050-44ed-4e1e-5c98-08d7ba38d785","UserType":2}
The second one is easy to understand, and I found it in the rules, and I'm waiting on confirmation if it's legit or not (this user had a dozen plus inbox rules like this, most are legit), but I have no idea what that first one is.OK after reading more of the error - the weird almost phone number looking thing is just a wacky name, but the actual rule is seemingly legit.
Both of these are rules just forwarding incoming email to another internal user. Still waiting confirmation that she did this though, and that she did it using a remote session to her work computer.
-
Alright, the user has confirmed that she made changes yesterday, and those change could associate with GMT based time.
Anyone know if the logs are only/mainly in GMT?
-
@Dashrender said in Weird thing on O365 account:
Alright, the user has confirmed that she made changes yesterday, and those change could associate with GMT based time.
Anyone know if the logs are only/mainly in GMT?
Almost all O365 logs are UTC 0 regardless of the timezone of the server or requestor.
-
@Kelly said in Weird thing on O365 account:
@Dashrender said in Weird thing on O365 account:
Alright, the user has confirmed that she made changes yesterday, and those change could associate with GMT based time.
Anyone know if the logs are only/mainly in GMT?
Almost all O365 logs are UTC 0 regardless of the timezone of the server or requestor.
yeah, OK that makes the time line up for when the user added the rules, I'm just curious why it took MS 6 hours to send the noticed of alert?
-
@Dashrender said in Weird thing on O365 account:
@Kelly said in Weird thing on O365 account:
@Dashrender said in Weird thing on O365 account:
Alright, the user has confirmed that she made changes yesterday, and those change could associate with GMT based time.
Anyone know if the logs are only/mainly in GMT?
Almost all O365 logs are UTC 0 regardless of the timezone of the server or requestor.
yeah, OK that makes the time line up for when the user added the rules, I'm just curious why it took MS 6 hours to send the noticed of alert?
They batch some of their processes, so it may have had to wait for the group to run rather than being on demand/occurrence.