We have been seeing an increase in compromised Microsoft 365 accounts, with those accounts being accessed by bad actors. All of our users are forced to use multi-factor authentication and the bad actors can still get around it, if you let them. Please pass this onto all of your users. You need to train them to never enter their login information, if they are not actually initiating the login process.

The common theme is the user receives an email, from someone they know. It could even be a reply to a previous email chain. It says that there is an important file that they need to read, it could be attached, or it could be a link to a shared file. So of course, because they know the person, they try to open it. It then tells them they need to login to access the file, so of course they enter their email and password, then they are prompted to verify the login. They are still unable to view any file, but they have just given the bad actor all of their information. Including the multi-factor token needed to access their account. This can happen with any cloud account, Microsoft or Google, just most of our clients are using Microsoft 365.

Within minutes the bad actor has accessed their account, but the user never knows it. Until a week later, when their account starts sending out the same or a similar email to everyone they know. In that time they have been through everything that the user has saved and has access to under their account. The bad actor can also answer any replies to this bad email, to confirm it is legitimate to the recipient.
All users can view the recent activity on their Microsoft accounts, with this link. https://mysignins.microsoft.com/

We monitor this activity on a daily basis, but often do not see it soon enough. Some of the tools we need to monitor things closer, requires a minimum of 1 Business Premium license in the organization. This will add more Microsoft security features for the whole organization. We are working through the remaining customers who may still not have these features. Please contact us, if you are not sure or would like to upgrade your current license(s).

We are also looking into offering additional ITDR (Identity Threat Detection and Response) services, which involves partnering with the right vendor to provide 24×7 monitoring and response to these types of compromises. Which would involve additional costs per user and giving the outside vendor access to your Microsoft tenant for your users. Or your Google workspace account for Google organizations.

Examples of these type of emails;