Beware of O365 Phishing and Email Redirects

Your users might start seeing emails that look like the one bellow. If the click the links, they might start missing emails .  You will notice that new rules have been created in user’s mailboxes to forward emails to a gmail account. Classic phishing tactic.  Here is a sample email thats going around:

Clicking the link in the email will ask you to sign in and walah!! They have your credentials

They are then logging into the user’s O365 account and then creating rules to forward the emails to their gmail account.

I have also noticed that sometimes they just forward emails to the deleted mailbox….for fun I guese.

How do you fix this?

1)Restart passwords regularily and set complexity requirements in place if you dont already

2) Check all your mailboxes for redirect rules using powershell. Here is the command

Powershell

“foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.RedirectTo -or $_.ForwardTo -and -not ($_.description -match “If the message”) } | fl MailboxOwnerId,Description >> rules.txt }”

and this for forwards

“foreach ($i in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $i.DistinguishedName | where {$_.ForwardTo} | fl MailboxOwnerID,Name,ForwardTo >> d:\Forward_Rule.txt }”

Its possible more mailboxes are affected, so check all if you can.

3. Check  O365 security compliance area for suspicious logins. Especially IPs from abroad.

4. How about enabling 2 factor authentications for O365 users?