IR04: Check Account Security

Trigger:

User account was compromised

Who Should Follow This Procedure:

All Users
Service Desk

Steps To Follow:

  1. Change your AUBnet password: Follow the procedure HD01: Change Pasword.
  2. Check Forwarding Rules: Make sure forwarding rules are ok and not forwarding your emails to an alien email.
  3. Check Inbox and Sweep Rules: Double check your “Inbox and Sweep” rules and delete any rule you did not define. (Make sure to understand what the rule does before deleting)
  4. Check Application Passwords: Delete all Application Passwords and create necessary new ones.(My Account ==> "Additional security verification" ==> "Create and manage app passwords")
  5. Check OneDrive - Files: Make sure One Drive does not have any suspicious files.
  6. Check OneDrive - Shared Links: Make sure your files and folders on One Drive are not shared with a public link or to an unknown email
  7. Check App Permissions: https://portal.office.com/account/  "My Account" ==> "App Permissions" ==> Look under "You can revoke permission for these apps"

Detailed Walkthrough Steps:

Check Forwarding Rules:

To check the forwarding rules,

Log on to your office365 account (your email) using any browser,
Click on the “gear” symbol and choose mail options (check attached image ”Forward Rules”),
On the left hand side click on “Forwarding”
And make sure it is not set to an unknown email.

Check Inbox and Sweep Rules:

To check the “Inbox and Sweep” rules please see attached image.

Check Onedrive:

Once you click one Drive check if there are any file that is not yours.

Check Application Passwords:

Go to the Account Settings
Security & Privacy
Additional Security Verification
Create and manage app passwords
Delete any predefined app password and re-create the ones needed.

Go to create and manage passwords:

Make sure that all the app passwords are defined by the user.
Preferably Delete all created app password and regenerate new ones.

Check App Permissions:

Review the application permissions approved by the user
Revoke any permission not recognized by the user

 

Print Article

Details

Article ID: 66424
Created
Wed 3/18/20 3:33 PM
Modified
Thu 8/12/21 7:33 AM