With the rapid adoption of Microsoft 365 we have seen a rise in business email compromise attacks.
First Response were called in by the Head of IT for a 700 user financial services company based in London, to provide a digital forensic investigation into their Microsoft 365 environment and wider infrastructure following a business email compromise attack they had suffered.
In this instance, the IT team was alerted to the incident by the accounts team, who where themselves notified by one of their third-party suppliers who weren’t happy the client’s bank details had been changed. This immediately raised suspicions with the accounts team as they hadn’t changed their bank details.
The IT team conducted an initially investigation themselves but quickly realised that they would need to call in specialists to identify the root cause of the attack, to identify whether any data had been stolen and to ensure that the attack wouldn’t happen again.
After analysing the Microsoft 365 environment, First Response then looked at the wider environment, analysing the logs across their network and endpoint infrastructure. First Response were able to identify the intrusion point of the attacker and conclude that no data had been stolen. It was just the Microsoft 365 account that had been compromised.
“First Response were able to identify the intrusion point of the attacker and conclude no data had
been stolen.”
The IT team maintained a good log retention period which significantly assisted the investigation.
The client was reassured that no data had been stolen and in this instance were lucky no payment had been made. First Response also provided a number of recommendations for the client to secure their infrastructure.
HOW WE CAN HELP
Further detail on our digital forensic investigation services is available here.