🌊 Thought process of a Cyber Admin

context: a user here was notified by a number of other users that her account's sent them an email with attachments that she doesn't remember sendin. Her sent items also didn't seem to record these messages. We then had the suspicion that maybe her account was compromised. The first step was resettin the password right away, prepared some comms and reported it to our cybersec professional. 

Hi ****,

  

There are no suspicious logins observed in the logs for 16th Jan when the emails were sent. All the logins were from 163.7.134.209 . The IP address is from where the user signs in normally, so assuming a home address. Unless the user account was left signed in somewhere or the computer was left unlocked and unattended.

Ran a search with the email subjects and concluded the emails have not been send anywhere else other than the users mentioned.

Please confirm the registered phone number for MFA.

Also awaiting a password reset by the user

Actions taken: 

Revoked all active sessions,

SIgned out of all devices and 

Revoked all valid MFA tokens on all remembered devices.

Regards,

***** *****

It's just nice to see the approach and what indicators one can check to verify a compromise. IP addresses, subject heading and general logs were considered. 

It was also interesting that registered phone number was encouraged to be verified suggestin the possibility of a compromised MFA.