M365-remediationSomeone got access to one of your clients' M365 mailboxes, now what?

Every minute counts.

That’s the truth when it comes to recovering a client, a prospect (or your MSP) from a ransomware attack.

As we’ve audited over a thousand MSPs at this point, one flagrant oversight in many organizations has been their lack of planning for an event like the ones hitting SMBs and their IT support teams over the past few years.

Many in MSP leadership don’t have a starting point. How do you break down a response into bite-sized pieces that any technician could accomplish? That’s where a lot of MSPs get stuck.

It’s not that they aren’t capable of doing the work. It’s that no one really trains you how to do this type of work. No one has triggered a process or way of thinking that aligns to a mindset of recovery.

Just as with any remediation event, M365 should be no different.

If one of your client’s M365 mailboxes were compromised, your response should be comprised bite-sized piece steps that could be easily implemented.

Here are 7 steps to start your checklist (Note: you will want to plan your incident response with your team. I’d highly recommend performing a tabletop exercise. Here is a good template many MSPs have started to use to plan out their events).

Freeze the account—if you were dealing with a ransomware attack on a network, I’m sure this would be the obvious first step. Get any impacted device off the network so that it couldn’t do any more harm. The same goes for cloud accounts. Your goal by freezing an account is to stop additional activity from being performed by the attacker, while keeping any records or logging intact to indicate what the attacker might have touched.

Before doing anything with the account, I’d recommend you’re able to take a snapshot of the account so that you will have a record of that account in case you need to look at forensic evidence later.

Make sure auditing is on—make sure that auditing is intact so that you can determine the scope of remediation. If auditing has been disabled, make sure to restore it before moving on to any additional steps. This will help your team determine the extent to breach activity and whether it has been ongoing.

Change passwords—I’m sure this is probably an obvious step, but you’d be surprised how often it gets missed when working through a chaotic breach response. Make sure to change credentials on all impacted accounts—those confirmed to have been breached AND any suspected accounts.

Figure out the impact—this is where the sleuthing starts. Determine what happened on the account. What information was accessed? Who was contacted? What shares were accessed or did the account have access during the breach period. Answering these questions will help determine the scope of the breach and figure out an appropriate means to communicate to anyone impacted by the breach.

Figure out how it happened—it’s one thing to remediate a breach, but unless you understand how it happened, how in the heck are you supposed to prevent it from happening again? Was it a password leak? Phishing attack? Was it a configurations or settings issue with the account? Does it seem like a targeted attack? Get a grip on how and why an attacker chose that account so that your team can better accommodate high target individuals going forward.

Communicate to necessary stakeholders—you probably will want to communicate with certain individuals on your internal team to understand what they need to be thinking about. These attacks are not solely technical in nature. Once you have a good understanding of the details of the attack, you may want to talk to legal, PR, your HR or customer service departments within your client’s organization to help best steer the conversation.

I know many of these steps may seem basic, but unless you’re defining them and have a plan of action to get your team through different common events like a mailbox compromise, you likely won’t be walking in step to resolve and quickly remediate the attack.

Unless your team is thinking like a hacker, how will you be sure that they’ll know what to do?

Many MSPs have started using Level Up as a baseline to their security programs.