Last Updated: 09/12/2019
I have been asked a few times now what to do when an Office365 account is compromised, and seeing as bad actors these days are doing more signing in rather than hacking, it makes sense to know some tricks and tips for when an account looks suspicious or is compromised.
Sign out of ALL sessions
First thing to understand is that when a user is logged into Office365 they are consuming multiple services which use tokens for authentication. Tokens are used to prevent users from logging in everytime they click on a different service (Exchange, SharePoint, OneDrive ect.). These tokens leave users logged in effectively. If a user’s machine is compromised by Malware then chances are they can leverage these tokens to access Office365 services for that user. In this case, we need to kill the sessions and revoke the tokens being used to ensure that bad actors are locked out.
We can initiate a sign out of a user that will sign the user out of any active session, this can be done from the GUI Office365 Admin portal.
Within the Admin Center if we locate the compromised user and navigate to the OneDrive tab we can initiate a sign out, this will sign the users out from all active sessions within Office365 (I am not sure why this is under OneDrive, but it should sign users out of everything Microsoft based). Prior to this it is recommended to block user sign in, post this step would be to change the password of the user.
Using PowerShell to revoke tokens from Azure AD
However, if Azure AD is being used for more than just Microsoft (Single Sign On for Azure AD Applications) then this sign out method above will not work for those additional applications. In order to kill the sessions and revoke the tokens we will need to use PowerShell. If you haven’t done so already then install the AzureAD PowerShell module, you can run the following command without Admin Access to install the module to your local profile:
Install-Module AzureAD -Scope CurrentUser
Once you have the module installed, connect to Azure AD using your credentials. Make sure you have User Management Administrator Access to run the Revoke Command. You can log into Azure AD by running the following command and entering in your credentials:
Once you have been connected, find the user that you want to revoke the access tokens from, you can use the following command example to find the user:
Get-AzureADUser -SearchString firstname.lastname@example.org
Once you have confirmed the user, pipe this command into the revoke command. It will look something like this:
Get-AzureADUser -SearchString email@example.com | Revoke-AzureADUserAllRefreshToken
The following image shows me running this against my demo tenant of Office365 for the user: Adele
Other Actions to Consider
As mentioned above, disable the user account while you run these actions This can be done from the Office365 Admin Portal User Management screen:
Blocking the user will remove the ability for them to login, this goes for the bad actor too.
After you have ran the disabling of the user and the revoking of the session tokens. It is then a good idea to change the user’s passwords, if you are using AD Connect with Password Sync, ensure that the password change has synced up before re-enabling the user account.
Enabling MFA if possible should also be an option, ensure that the user enrolls into MFA (As if the attacker can still log in, then can enroll their own phone, rendering MFA useless). If you already have MFA enabled then it is worth checking the enrolled devices of the user to see if any additional devices have been setup (As the bad actor may of added a device or factor of their own). You can always force the user to re-register with MFA, however this needs to be done in the Azure AD Portal. Navigate to the ‘Users’ Section, select the User in question and then select ‘Authentication Methods’ to force a reset.
If the user account has any administrator access, then make sure these roles are removed, these can be reinstated when it is confirmed that the bad actor no longer has access to the account.
Do a quick check of mail rules, mailbox delegates and shared mailboxes that the user has access to in Exchange Online, look out for forwarding rules (as the bad actor might be siphoning data this way). It is also suggested to put the user mailbox in litigation hold so the emails are preserved. You can view and configure most of these options on the User Management Screen in Office365 Admin Center, under the ‘Mail’ tab. All other configuration will need to be done from Exchange Online Admin Center.
If the user has permissions to invite other users into SharePoint sites then make sure this is reviewed. The bad actor may have invited another account in to gain a further foothold.
While a shorter article then most of the others I have written, I hope this information proves to be useful should you find a compromised or even suspicious account. It is always worth reviewing the processes that you have internally to factor in steps like the above should an account be compromised so you have a structured way of investigating, containing and remediating breaches like this.
General order of the steps above would be:
- Disable User Account
- Sign Out of all sessions and revoke tokens
- Switch Mailbox to Litigation Hold
- Check Email and SharePoint permissions and rules
- Revoke any admin access or special/privileged permissions
- Reset Password (Ensure that this is synced across if using AD Connect)
- Enable MFA and enroll with the User
- Re-enable the user account
- Monitor Activity on the Account
- Introduce permissions and access
Additional things to also consider:
- Use Conditional Access to scope down access to resources based on conditions. Ie. User needs to log in from a corporate IP Address Range.
- Use Intune to further enhance the conditions in conditional access. Ie. User needs a corporate & compliant device to gain access to resources.
- Use Password Protection to ban certain passwords that might be easily guessable.
- Block legacy authentication and move toward using modern authentication for Office365 and Azure AD Apps.
Some of the above points however will require Azure Active Directory Premium, which is an additional cost to Office365. There is an article here that Microsoft has published with steps to increase identity security.
If you have any other methods, tricks or tips on how to deal with a compromised account, please feel free to comment!