I am a part of an MSP that is in a sort of a terrible situation. I’m sure you all are aware of the recent breach on Microsoft’s Exchange servers which at first I thought was under control and mitigated quickly based on Microsoft’s breach notes. But, this is far from the truth and I am finding that a lot of my clients hosted with Microsoft are now becoming the victims of massive phishing attacks. All clients are at risk but one is more targeted then others which I will go into. Hopefully you guys can review and point me in the right direction.
First we realized that this client was getting successful sign-ins from random IP addresses across the country which was a clear red flag. Then we noticed that there was a clear domain that was spoofed under the guise of one of our clients. They changed the ‘I’ to a ‘l’ and had the username match the email address of the client. If our clients email was [[email protected]](mailto:[email protected]) the spoofed emails that was sent to one of their main vendors looked like this ([[email protected]](mailto:[email protected]) <[[email protected]](mailto:[email protected])>). This was a clear phishing attempt but we found where the domain was hosted and were able to get them shut down. We immediately ensured 2FA was pushed to each of our clients users to try and mitigate any further sign ins. But, little did we know this is just the beginning.
Its been about 4 days and now this client is telling me that they are getting hundreds of emails from not just one vendor but almost every one of their clients is receiving emails from a spoofed email under random domains now, but with our client’s owner’s name and email address. ([[email protected]](mailto:[email protected]) <[email protected]>) . It appears they got access to their client list and I am having a very hard time trying to figure out how to stop these attacks. I know its hard with spoofing emails that are being sent out under the guise of our clients, but I really need some tips on how to handle a situation like this. *Another thing to note is that when the clients get the spoofed emails a lot of them are disappearing when they open them, or when they try to forward. Not sure how this is happening at all. If anyone has been in a similar situation please give suggestions.
P.S Sorry if this isn’t the easiest to follow I was kind of scrambling lol but I will provide any additional information if requested to help diagnose/neutralize this issue.