- Joined
- Feb 27, 2008
- Messages
- 8,821 (1.47/day)
| System Name | OrangeHaze / Silence |
|---|---|
| Processor | i7-13700KF / i5-10400 / |
| Motherboard | ROG STRIX Z690-E / MSI Z490 A-Pro Motherboard |
| Cooling | Corsair H75 / TT ToughAir 510 |
| Memory | 64Gb GSkill Trident Z5 / 32GB Team Dark Za 3600 |
| Video Card(s) | Palit GeForce RTX 2070 / Sapphire R9 290 Vapor-X 4Gb |
| Storage | Hynix Plat P41 2Tb\Samsung MZVL21 1Tb / Samsung 980 Pro 1Tb |
| Display(s) | 22" Dell Wide/24" Asus |
| Case | Lian Li PC-101 ATX custom mod / Antec Lanboy Air Black & Blue |
| Audio Device(s) | SB Audigy 7.1 |
| Power Supply | Corsair Enthusiast TX750 |
| Mouse | Logitech G502 Lightspeed Wireless / Logitech G502 Proteus Spectrum |
| Keyboard | K68 RGB — CHERRY® MX Red |
| Software | Win10 Pro \ RIP:Win 7 Ult 64 bit |
I ran into this, and I'm looking to make sure exactly how the process broke. Can I get some input/feedback?
Client sent an email, appeared to be typical "Looks like our user, requested a change of banking info, please investigate". I scrolled down the email, and the address looked legit; decent spoof, I'll check headers. But first, go for the obvious: user sent it.
TAP to the sent box, nothing there, hit the deleted, nothing there, go to the "recovery", and there it is. "Oh crap, did they manage to get MFA disabled??!!" Blocked sign-in, revoked authenticators and sessions, changed the password. Called the user, and discussed while I went digging, and while in discussion, user reported they had "had to use their password earlier this week, or a few days ago", but couldn't remember where or why. Great.
Called management, explained the steps so far, and received permission to investigate and re-enable with extra reinforcement for phishing attacks. (after the discussion, I'm pretty sure the user won't put their password in *anywhere* for at least three months without calling me first).
After prompting and digging, determined the following:
thanks!
Client sent an email, appeared to be typical "Looks like our user, requested a change of banking info, please investigate". I scrolled down the email, and the address looked legit; decent spoof, I'll check headers. But first, go for the obvious: user sent it.
TAP to the sent box, nothing there, hit the deleted, nothing there, go to the "recovery", and there it is. "Oh crap, did they manage to get MFA disabled??!!" Blocked sign-in, revoked authenticators and sessions, changed the password. Called the user, and discussed while I went digging, and while in discussion, user reported they had "had to use their password earlier this week, or a few days ago", but couldn't remember where or why. Great.
Called management, explained the steps so far, and received permission to investigate and re-enable with extra reinforcement for phishing attacks. (after the discussion, I'm pretty sure the user won't put their password in *anywhere* for at least three months without calling me first).
After prompting and digging, determined the following:
- User had some junkware "Driver Updater" on laptop used at home over the weekend, was removed without verifying possibility of attack vector
- Password is a randomly generated >12 character mess: no dictionary words or leet speek
- Password is saved in Edge on "home" laptop for checking email
- Received a MFA SMS Monday afternoon, 1st day of account compromise, but user didn't see it/know it/request it
- Entra shows access from approx 2500 miles away near the opposite coast starting that day
- Client is a large company, multi-national, but not infra-structure critical, not F500, and the targeted user was a low-level employee in accounting: very little ability to change much, and the spoofed email request was out of the ordinary enough to prompt a phone call. in other words, neither the client nor the user were whale targets
- User is not a disgruntled employee, just a little absent minded, but not enough to not remember someone else asking for an MFA code... I think....
- None of the users for the company display the level of skill required to clone a phone, and absolutely none in the immediate physical area of the user have that skill level, and again: weak target, small fish
- Entra sign-in indicates
- Authentication requirement Multifactor authentication
- MFA requirement satisfied by claim in the token
thanks!
