An interesting twist on a credential theft

Recently, a client got caught by a malware operator.  I’m writing about this since the attack structure is a little different than what I have seen in the past.  For a little background, the client is a single person professional practice.  There are only three mailboxes in the client’s Microsoft 365 account, his personal one, a relatively newly created professional one (to try and separate his personal and business email), and an unlicensed one for me.  All of these accounts are Microsoft 365 administrators (not the best idea, but we are only talking 2 people, him and me).

We believe that it started with what the client thought looked like a normal request from Microsoft to sign into Office 365.  Evidently, this was a good-looking phishing email because the client responded.  A few days later the client received an email confirming the purchase of a new domain on his Microsoft 365 account.  He called me immediately and we looked into what was happening.  There appeared to be a new unknown domain in his account.  There also appeared to be two new mailboxes that looked more like contact addresses than a normal mailbox. 

I immediately deleted the new mailboxes and attempted to delete the new domain.  However, the admin portal would not let me delete the domain because it had been prepaid for a year and was on a reoccurring charge for renewal to a credit card that was unknown to either of us.  I cancelled the automatic renewal and tried deleting the domain again.  Once again, I was unable to delete the new domain.  So, I created a ticket with Microsoft support.  While this was happening, the client received an email from an unknown person asking about a gift card purchase he had arranged.  This gave us a better understanding of what was going on.

Meanwhile, I used a WhoIs search to determine who was the domain registrar for the new domain.  I then sent an email to the abuse address explaining what was going on and recommending they block the domain.  That resulted in a generic email telling me I had to enter my complaint on their abuse reporting form.  I did that and got an email telling me I had to call them.  When I called them, I was told I had to put my complaint into a different website and they would review the request and take appropriate action in 48 to 72 hours.

Meanwhile, Microsoft support called.  I explained the situation and they said they had to forward the ticket to their billing team.  A few hours later, the billing team reported that they were turning the ticket over to the abuse team.  The abuse team suspended the domain listing.  Since the Internet was looking at Microsoft to find out where to send anything pertaining to the new domain, that effectively stopped any more abuse from that domain name.  The initial entry for Microsoft Support was on a Wednesday at 9:18 PM and the final response from the Microsoft Abuse Team was on Friday at 7:48 AM.  This was a very fast response.

It is now 5 days after my entry to the registrar’s abuse team and I still have heard nothing back.  The problem domain is still listed in WhoIs, but the directory giving any addresses out is no longer available through Microsoft.  This at least means that my client is no longer being bothered by this issue.

The point to get from this blog post is that the typical abuses that you hear about credential theft are not the only abuses that can occur.  To really understand what is happening and what to do about it requires professional knowledge of how the systems work and how to get things fixed when they break or get compromised.

Subscribe to our newsletter.

Never miss a new article by joining our mailing list!