I've got a bunch of good IOCs, I'll send you a list. This account was almost certaintly compromised through a phish containing a fake MS login page. The page is designed to validate the credentials through exchange. I can spot phished accounts in our logs because a MS exchange client authenticates to Gmail. Normal user authentications use saml. I'll include screen shots.
On Fri, Apr 28, 2023, 8:09 PM Dustin Udy d.udy@utah.edu wrote:
Seems like the same technique we saw.
Dustin
*From:* USHE-ISO ushe-iso-bounces@lists.dixie.edu on behalf of Eric Bennick via USHE-ISO ushe-iso@lists.dixie.edu *Sent:* Friday, April 28, 2023 7:57:52 PM *To:* ushe-iso@lists.dixie.edu ushe-iso@lists.dixie.edu *Subject:* Re: [USHE-ISO] Compromised account activity
Tuesday, actually. That's what happens when you lose a night of sleep.
On Fri, Apr 28, 2023, 7:51 PM Eric Bennick ebennick@weber.edu wrote:
We had a compromised account on our VPN which ran scans on port 22 and connected to any devices with SSH listening. It was also talking out to other institutions, so I've included log info from our DNS servers so you can check for activity.
[image: Screenshot 2023-04-28 194746.png]
