Cloud Incident Response

  • 1.  O365 Account Compromise Containment/Recovery

    Posted Jul 22, 2024 05:35:00 AM

    Thought I would add some real world experience to this,

    We have seen O365 accounts being compromised and have learned that the account needs to have both password reset (changed on next logon) and crucially that all O365 sessions are revoked as we have seen threat actor continue within the compromised account as they have an active authentication token.

    The above approach ensures that the compromised account is fully clear of the threat actor and the user now has a new password.

    Thanks,
    Neil Baal
    Group IT Security Manager



    ------------------------------
    Neil Baal
    Group IT Security Manager
    Unknown
    ------------------------------



  • 2.  RE: O365 Account Compromise Containment/Recovery

    Posted Jul 23, 2024 08:42:00 AM
    This is always one of the best ways to do it. However you may want to consider and implement CONDITIONAL ACCESS.

     Thanks
    Adnan




    Original Message


  • 3.  RE: O365 Account Compromise Containment/Recovery

    Posted Apr 28, 2025 07:12:00 AM

    Building on your topic, I recently encountered a scenario where a cybersecurity incident in Office 365 involving browser session cookies occurred, as attackers stole or hijacked session cookies to impersonate legitimate users. This is not a new thing for the folks in Cybersecurity area. However, it took sometime to figure out how this incident happened by reviewing O365 and Azure AD logs to identify unauthorized access and the method of attack (e.g., XSS or MITM). To remediate this scenario,  here are the steps taken:

    • Revoking session cookies: Force a logout for all users and clear session cookies
    • Re-Configure MFA and added conditional access policies to restrict access based on device and location
    • Addressing vulnerabilities: Applied security patches, enforce secure cookie attributes (HttpOnly, Secure, SameSite), and secure browser settings
    • Monitoring: Use O365 Advanced Threat Protection (ATP) to detect further threats and ensure continuous monitoring of activity.
    • Train Users

    Happy to answer any questions you may have or need more details of each steps.



    ------------------------------
    Pankaj Kumar,
    Sr. Project Manager
    United Flow Technologies
    [email protected]
    https://www.linkedin.com/in/pankajkm/
    ------------------------------

    Original Message


  • 4.  RE: O365 Account Compromise Containment/Recovery

    Posted Apr 28, 2025 07:12:00 AM

    Adding to your point, giving another scenario - 

    There was a cybersecurity incident in Office 365 where attackers managed to steal or hijack session cookies, allowing them to impersonate legitimate users. To handle the situation, we first took immediate action by logging out all active sessions and disabling any compromised accounts. We then went through the O365 and Azure AD logs to find out how the attackers gained access and which method they used, such as cross-site scripting (XSS) or man-in-the-middle (MITM) attacks.

    For remediation, we revoked all session cookies and forced a logout for everyone. We also strengthened our security by enabling Multi-Factor Authentication (MFA) and setting up Conditional Access policies to limit access based on factors like device or location. We made sure to apply any necessary security patches, updated our cookie settings (HttpOnly, Secure, SameSite), and tightened browser security.

    We also monitored the system closely using O365 Advanced Threat Protection (ATP) to detect any further suspicious activity. Lastly, we educated users on best practices for secure browsing and reviewed our incident response plan to make sure we were better prepared for future threats.



    ------------------------------
    Pankaj Kumar,
    Sr. Project Manager
    United Flow Technologies
    [email protected]
    https://www.linkedin.com/in/pankajkm/
    ------------------------------

    Original Message