Upon detection of a breach it is crucial to have a clear mitigation strategy rather than having to think on the spot of everything you must disable or change. Every organization should have its own strategy which considers all the data sources, however it is always good to have somewhere to start. In our scenario the user has had their Office365 account compromised which is Synced from the on premise active directory. Here is the list of steps I would take on this:
Step 1: Block Sign in on Office365 – This immediately puts a halt to web sign in through Office365
Step 2: Disable AD Account – In our example the passwords are Synced with on-premise and 365, it is important in this example that we recognize these are the same credential to protect all systems where it is used.
Step 3: Extract information – Using the Audit Log Feature within Office365 Security and Compliance I would extract the log for analysis post remediation- this can help point to where the breach came from and provide useful information for future protection and prevention from these sorts of incidents.
Step 4: Log out everywhere/refresh tokens – You can achieve this in Office365 by using the Azure AD PowerShell Cmdlet:
Revoke-AzureADUserAllRefreshToken -ObjectId $UserUPN
This forces any logged in Applications to re-logon so won’t be able to authenticate with the account blocked.
Step 5: Enable MFA – MFA is included with Office365 and is largely under-utilized. When an account is breached I consider this account to be more “at risk” going forward so it is essential to have as much protection covering it as possible.
Step 6: The Exchange Stuff – One of the most common things we see when accounts are breached is a more subtle attack of adding rules on the victims’ mailbox giving themselves delegate access or forwarding emails externally. We can clean any of these off by running the following in Exchange Online Powershell (We also enable More Exchange Auditing for analysis going forward!):
$mailboxDelegates = Get-MailboxPermission -Identity $upn | Where-Object {($_.IsInherited -ne "True") -and ($_.User -notlike "*SELF*")}
foreach ($delegate in $mailboxDelegates)
{
Remove-MailboxPermission -Identity $upn -User $delegate.User -AccessRights $delegate.AccessRights -InheritanceType All -Confirm:$false
}
Set-Mailbox -Identity $upn -DeliverToMailboxAndForward $false -ForwardingSmtpAddress $null -WarningAction:SilentlyContinue
Set-Mailbox -Identity $UPN -AuditEnabled:$true -AuditLogAgeLimit 365 -WarningAction:SilentlyContinue
Step 7: Get the user back online – For this we reset the AD Password and assist the user with setting up their MFA once they are online and understand they can resume business as usual and we can get onto analysis of the breach.
Step 8: Analysis – While it can be tedious looking through sheets of IP addresses and actions it is important to understand when your attack happened and what was done with the compromised account. Using the Audit log feature we can see exactly what time and where the account was accessed from as well as common actions such as setting up an external forward.