Had an office system hacked and I can't find the attack vector

[hoorah]

My dad gives me a call and says his emails are getting bounced back from his clients as "550 - banned sender, too much spam coming from this address".

There is no trace of anything in his email boxes until today, when one of his clients replied to one of his spam emails and said "No way am I clicking on this link". So from the reply, we got to see the email he was sending out - which included links that went nowhere but were disguised as dropbox folders.

I changed his office365 password and issued him a new (fresh install) laptop, so hopefully he's working on a clean system, but I cant figure out what happened. I don't see any signs of a virus on his old laptop that the problem occurred on. Windows defender comes up with nothing, I don't see any oddball processes running in task manager, and malwarebytes doesn't find anything either.

If I could click on one of the links he sent out (in a VM) and see what virus it was, I could maybe have a better idea of what to look for, but like I said, the links don't go anywhere (as they likely were hosted on hacked websites that have since cleaned up the infection).

Right now I'm trying to figure out how to track login attempts on office365 by IP address but the feature isn't enabled by default, and I have to learn how to do a bunch of powershell commands to enable it. Frustrating.

 

[sourceninja]

It probably isn't his machine at all. It's probably just a forged header so the email looks like it is from him.

 

[hoorah]

It probably isn't his machine at all. It's probably just a forged header so the email looks like it is from him.

Thats what I thought too, until we found out that rules had been enacted in his outlook settings to auto-delete much of his incoming mail (I assume so he wouldn't see all of the "What the hell is this? You've been hacked!" emails that would inevitably return to him). Everything in his sent and deleted items had also been cleared out.

Furthermore, I found his account in office365 had been flagged for outgoing spam. So it was definitely coming from his account, I'm just not sure if it was his machine (though unauthorized code) or from his email account via compromised web access.

 

[sourceninja]

In addition to the steps you have taken, ensure you audit any approved devices in his O365 account or Application passwords. Possibly turn on MFA as well. New image on the PC + all of that should be a good step.

 

[PliotronX]

What do the outgoing messages in message tracking in Exchange Admin look like?

 

[Hoober]

He may have been phished and given up his creds. Easy to go straight through o365 and spam mail unless he has 2FA on the account.

 

[PliotronX]

Just helped out a user with a 365 account sending out fake Dropbox links to the tune of 200+ messages yesterday. Had the user change her password and enabled that audit logging, its pretty easy to do but is not retroactive. Hoover's theory sounds plausible so changing the password and enabling MFA like sourceninja mentioned to go a step further ought to prevent it going forward.

Update- as for attack vector, it was likely bots from the other side of the planet as Microsoft requires an azure premium subscription for admins to set conditional access (which from other comments does not block authentication attempts before connecting so passwords can still be tried for validity!). It has been requested for two years as a basic setting in 365 but who knows if it'll make it.