Mitigation
Where possible, scan emails for links which match the RegEx in this report. These emails should be flagged as potentially malicious and investigated. Scan web logs to identify if users have visited domains or associated filenames which match the patterns provided. Where malicious activity has been detected, inspect mail servers to understand how the emails have propagated, and to identify the IP addresses from which the emails were sent.
The NCSC recommends resetting passwords of affected accounts affected as soon as possible, ensuring that the new password follows a strong password policy. Password guidance from the NCSC can be found here.
The NCSC strongly recommends turning off legacy authentication protocols if you are using Office 365, due to the use of legacy protocols in this campaign. A guide to how to do this can be found here.
Further guidance on securing your organisation’s use of Office 365 can be found on our website.
The NCSC also recommends the use of Multi-Factor Authentication (MFA) with Office 365 and across your estate as well as educating your users to this campaign, as well as wider spear phishing emails. MFA is only effective in mitigating the type of credential theft seen in this campaign if legacy authentication protocols are disabled. See the relevant NCSC guidance below.
Multi-factor authentication for online services
Setting up two-factor authentication
Securing Office 365 with better configuration
To further secure the compromised accounts, it may be prudent to revoke and reconfigure tokens used for authentication within Office 365. Further guidance on token configuration can be found here.
The NCSC strongly recommends notifying Microsoft’s Cyber Security Team at secure@microsoft.com, quoting the details of your findings in relation to this incident. Where possible, giving Microsoft permission to share their findings relating to your organisation with the NCSC, enabling all parties to understand and mitigate this threat together.
Further to the above, the NCSC guidance linked below could assist more generally:
Downloads