Check your Exchange for ongoing leaks

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors will sit with this access to months looking for ways to benefit from this access. As a way of establishing persistence an attacker will often create rules in the mail-system to have mail forwarded to an external account the attacker controls. This way, even if you change passwords, the attacker still receives copies of the mail.

These forwarding rules can serve as valuable indicators. And even if absence of evidence is not evidence of absence, it is worth to look for these rules with regular intervals. This is nothing new, but a reminder seemed in place given the current threat landscape. Here is an older blogpost from Compass-Security explaining the issue.

There is also a project on Github to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API that might be interesting in this regard.

Top 5 Security News