Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Credential abuse and compromised user accounts are serious concerns for any organization. Credential abuse is often used to access other critical assets within an organization, subsidiaries, or another partner corporation. Once an account is compromised, it can be used for data exfiltration, or to further promote the agenda of a threat actor. Threat actors often compromise the internal email accounts of legitimate organizations for many reasons including to send internal users phishing links leading to additional compromise, to send malicious emails to external users for later compromise, or create inbox rules to forward confidential emails to the threat actor’s account outside of the organization. Monitoring for events surrounding internal, inbound, and outbound email activity is important.
The AT&T Managed Threat Detection and Response (MTDR) analyst team received several alarms in response to a user attempting to send an excessive number of emails, resulting in these emails being blocked within Microsoft Office 365. Upon reviewing the user's login behavior, it was observed that this user was seen logged in from foreign IPs which were outside of the user's typical logon behavior. Further analysis of events surrounding the user concluded that this incident was contained. An investigation was created with attached events, artifacts, and login activity to quickly engage the customer and remediate the compromise before the attack could be elevated.
Initial Alarm Review
Indicators of Compromise (IOC)
There were three alarms generated from events involving Credential Abuse, Anomalous User Behavior, and Security Policy Violation from Office 365 activity from both a foreign country and the United States.
The initial Credential Abuse alarm (image 1) for suspicious login activity was generated in response to 12 events related to successful logins from a foreign country and the United States within a 24 hour period. After expanding the events surrounding this user, it was discovered that this user has never logged in from countries outside the United States.
The team then used Open Source Intelligence (OSINT) tools to research the foreign IPs and discovered that these were IP addresses belonging to a foreign telecommunications company and were previously blacklisted. Utilizing OSINT during an investigation is imperative to determine ownership, location, history of abuse, and malicious activity surrounding an IP address or domain.
IP Blacklist check
The Anomalous User Behavior alarm (image 3) pertaining to Outlook 365 email activity was generated due to the excessive number of outbound emails. According to logs, there were fifty-three outbound emails sent from the foreign IP in 24 hours, which is a 1000% increase for this user. Due to the suspicious activity that was occurring, the Intrusion Prevention System (IPS) restricted the user's ability to send emails and generated an additional alarm for review. The implementation of an IPS is important in this instance, because it prevented data exfiltration from the compromised email account.
Anomalous user behavior
The Security Policy Violation alarm (image 4) pertaining to this user highlighted potential Office 365 credential abuse and email restriction due to the abnormal login activity. These events were generated due to the login location, login successes, failures, and email activity that occurred from the threat actor addresses.
Security policy violation
Event Deep Dive
Reviewing for Additional Indicators
To ensure there was no further compromise, the team investigated all other events associated with this user. The search range was increased from the last 24 hours to the last 30 days in order to observe more activity related to credential usage of this user, additional suspicious logins, and inbox rule creation.
After conducting thorough searches for other indicators of compromise through user events, Intrusion Prevention System logs and login activity within the organization, we discovered there was no further compromise.
Building the Investigation
An Investigation was created that included several artifacts related to the three alarms and all events pertaining to user account access and O365 activity.
After creating and updating the Investigation, the customer was provided all relevant information and was contacted in accordance with their Incident Response Plan (IRP). The customer immediately contained the incident, isolating the asset and user account and revoking their credentials.
Limitations and Opportunities
Implementing Multi Factor Authentication (MFA) and geofencing within an environment would reduce the risk of an account becoming compromised. Users often use the same credentials when logging into accounts on several websites. It is recommended to use different passwords and refrain from using work emails for non-business-related purposes.