A client engaged 3B Data Security to assist in conducting a forensic investigation into unauthorised Office 365 account access following a successful phishing attack.
The client reported that they had suspected the attacker(s) had been accessing user accounts and subsequently had access to an employee’s email account.
3B Data Security was tasked with carrying out an investigation to establish any supporting evidence of the above.
3B Data Security acquired Office 365 Audit logs for email accounts identified by the client as potentially compromised and acquired an exported mailbox of a high priority user to
identify if any PII data may have been available to an unauthorised party during the compromise of the email account.
The investigation conducted by 3B Data Security confirmed the client's employee visited a malicious phishing domain following a phishing email and through the forensic
analysis conducted on the employee workstation, found that the Chrome Autofill, which is used to fill form fields automatically when a page loads without any user interaction, was used to input Office 365
credentials at the time when the malicious domain requested for the employee's username and password.
Following the review of Office 365 Audit Logs, 3B Data Security were able to identify the exact date upon which the first instance of unauthorised access to the employee account occurred. Further
unauthorised access to SharePoint Online was observed; however, access to any files or folders was not observed. The investigation also found no evidence of the employee's Office 365 mailbox or application
being accessed using downloadable Microsoft client applications.
The mailbox of the high priority employee was examined, which found that PII and Intellectual Property (IP) was present within the email attachments.
3B Data Security provided tailored security recommendations to the client to aid them in further improving their environment and to help mitigate against any future compromise of IT systems.