September 23, 2020
How to Stop OneDrive for Business Accounts from Being Compromised
OneDrive for Business is a cloud storage service for Microsoft customers. Users can store their files in OneDrive and share them with other users. Sometimes OneDrive user accounts are compromised, which leads to undesirable effects on the user, user data, and the entire organization. Hackers can use sophisticated techniques and malware to steal user accounts. A stolen account is also called a compromised account. But how to stop OneDrive accounts from being compromised? And if they do get compromised, how to recover compromised accounts? This blog post explains how you can protect OneDrive for Business accounts and how to recover compromised accounts.
What Are the Threats to Compromised Accounts?
A person with malicious intent who compromises an enterprise Microsoft 365 account (Office 365 for organizations) can steal sensitive data. Such malicious actors can cause material losses for a company, delete emails and files on OneDrive, and send spam or fake emails to get money. Hackers can distribute viruses by using compromised accounts of Microsoft 365 users by using email and files shared on OneDrive. Another serious threat involves hackers storing and sharing illegal content on OneDrive for Business. When a Microsoft 365 account is compromised, an attacker can use all Office 365 services such as OneDrive (cloud storage), Outlook (email), SharePoint, and so on.
The symptoms of a compromised Microsoft 365 account include:
- Spam and suspicious email messages are sent to contacts inside and outside an organization.
- Email forwarding to unknown email addresses is configured.
- The first and the second name of a user are changed.
- All email messages are deleted.
- The ability to send email is blocked.
- OneDrive storage for a user is filled with unknown files, is full or is close to the OneDrive for Business limit (for the appropriate subscription plan).
How to Protect Microsoft 365 Accounts?
How to stop OneDrive accounts from being compromised? Below you can see some useful recommendations for users and administrators.
Users must use strong passwords that are unique and contain letters (upper and lower), digits, and special characters.
Don’t save a password as plain text in an unsafe place or on a shared resource.
Use two-factor authentication (a username, password, and a temporary confirmation code sent, for example, to a cell phone via SMS are required to sign in). For users who use OneDrive for Business and Office 365 for organizations two-factor authentication is not a new feature. However, recently Microsoft introduced Personal Vault for consumer OneDrive subscription plans (OneDrive for personal users). Personal Vault provides a OneDrive storage folder with stricter security. Access to this folder also requires two-factor authentication.
Use antivirus software on your computer. System administrators should care about users and help users install antivirus software on their work computers. Antiviruses can detect infected files stored in shared folders on OneDrive and files attached to email messages and in other places. Ensuring that antivirus software is up-to-date is especially important for those who use OneDrive desktop client for accessing shared files on OneDrive. When such users have viruses on their computers, these viruses can create or infect files that are accessible in Windows Explorer including flash drives, hard disk drives, shared SMB folders, files stored on OneDrive, and so on. Other users who use shared folders on OneDrive can also be infected if they open these infected shared files. Files can be damaged irreversibly by ransomware.
Don’t open the attachments to suspicious emails. Don’t click suspicious links in emails. Distributing malware via email is one of the most popular methods of infecting or account stealing. This method can be used in conjunction with social engineering.
Train users to recognize social engineering. Social engineering is a technique used by attackers to send messages to users using a spoofed name and email address, asking users to do something, using a fake promotion, or asking the victim to provide sensitive information pretending to be their boss or another trusted person.
Let’s look at some examples of harmful email messages:
Subject: Sign documents
Please sign these documents as soon as possible. See the attached files.
Subject: Survey 2020
Follow the link to complete the survey: link.
Subject: Summer photos
Agnieszka shared “photo001.zip” with you. Use this link to access files.
Subject: Change password!
Microsoft will perform maintenance in the datacenter. You must confirm your password to continue using Office 365 services. Use the link to access files [a link to a fake page for phishing can be located here].
Microsoft doesn’t ask users to share or send passwords. Don’t send your password to anybody. If you are a user who uses a Microsoft account, Office 365 for organizations, or OneDrive for Business, you can ask a system administrator to change your password in the Microsoft 365 admin center.
If you are a system administrator, please don’t use the Office 365 administrator account for regular working tasks such as sending emails, editing MS Office documents, or sharing files on OneDrive. Create a personal user account for yourself and use this account for all working tasks.
In Office 365 for organizations, Office 365 administrators can configure retention policies and data protection. Office 365 Advanced Threat Protection and Threat Intelligence can help administrators increase the level of protection against threats such as malware and phishing attacks.
Perform Office 365 data backup regularly. It will help recover deleted or corrupted data for compromised accounts of Office 365 users.
What to Do if Your Account Is Compromised?
What if your Office 365 account has already been compromised? What should you do in this case? Take the following steps as soon as possible to stop the attacker from controlling your Office 365 account.
If your password was changed by attackers, ask Office 365 administrators to reset your password. The administrator should not send a new password to a user by using a compromised email account. Use a new password, don’t re-use old passwords. The compromised accounts may also have to be blocked temporarily until the cause of the unusual behavior is identified.
Inform other users (at least users in the contact list and users inside your organization) about the users whose accounts have been compromised.
If your emails and files, including documents, are deleted, check the Deleted Items in Outlook, Recycle Bin, and the second stage Recycle Bin for SharePoint and OneDrive. If the items were deleted permanently, they can be recovered if a backup was created by a system administrator with a dedicated third-party backup software. If you use a standalone Outlook client on your computer, your email messages should be preserved even if they have been deleted in the web interface of Outlook Online by an attacker. This is one of the advantages of using a standalone email client. Read how to configure SMTP and POP3 settings for a standalone version of Microsoft Office Outlook.
Stop OneDrive sync on all linked devices/operating systems using OneDrive desktop and compromised accounts to prevent the spread of infected files via OneDrive. OneDrive for Business synchronization can be enabled again when the cause (viruses, malware) has been eliminated.
Check your antivirus and make sure that the virus signature database is of the latest version. Scan your computer for viruses. Administrators should ensure that antivirus software on all computers is installed and updated.
Remove forwarding email addresses if they were used by attackers and disable or delete email rules that were not configured by you.
Office 365 is optimized to be protected at the enterprise level by administrators. The Microsoft 365 Security and Compliance center can be used by administrators to investigate recent activity and identify suspicious activity.
Check audit logs and administrator audit logs in the Exchange admin center. It can help detect specific actions such as executed Exchange Online PowerShell cmdlets, who executed them, and affected objects.
If Azure Active Directory is used, administrators can review IP addresses used to sign in, check sign-in locations, time and status (success or failed). Read also about ADFS for Office 365.
The administrator should unblock compromised accounts after performing all the needed measures to recover and reconfigure accounts for normal usage. The administrator should remove users from the Restricted Users list when the administrator is sure that re-enabling access is safe.
If there are Office 365 backups in the organization, restore the deleted or corrupted data in Outlook and OneDrive. If there is no software to perform Office 365 data backup, install the appropriate backup solution as soon as possible to prevent data loss in the future. Configure Office 365 backups to be performed regularly. Use NAKIVO Backup & Replication for Microsoft Office 365 data protection.
This blog post explained how to stop OneDrive accounts from being compromised. Compromised accounts may cause significant reputational and financial damage for an organization. Owners of compromised accounts in Office 365 can lose all data in Outlook and OneDrive. Office 365 accounts must be protected by using special backup solutions on a regular basis to ensure swift recovery in the event of data loss. Download NAKIVO Backup & Replication and back up your Microsoft Office 365 data.