Note that when Office 365 is first installed on a PC it creates a directory for itself in Program Files.
A remote attacker who gets non-admin access to a PC can read the creation date of that directory to see when it was installed. For example on my laptop in Add Remove programs it shows MS Office Pro 2016 install date of 1/13/2024 - which is the last date that a patch Was installed. But, c:\program files\microsoft office 15 folder date is 8/23 which was the actual install date. The attacker can theorize that office 365 was installed when it was bought - and since Microsoft does yearly billing on the anniversary of purchase - there's a good chance your billing anniversary is around the date of first install. So they can customize phishing for this. Another way is of course guessing a password then using it to access your email Since so many people are running Office 365 with email in the cloud if they get your email password they can access your emailbox and search for past billings from Microsoft. Good places to look are Deleted Items since a lot of people don't empty theirs This is why Microsoft made Multifactor Authentication on by default for new 365 setups a rew years ago and they buried the configuration switch to turn it off deep into the Azure control panel so you have to be really persistent to dig it out and turn it off But 365 resellers like GoDaddy who "stupid-down" the Azure interface all prominently put MFA on/off in their stupid-downed control panels and guess what the most commonly requested thing to turn off in 365 is? Keep in mind since you are using 365 Microsoft does allow people to shoot themselves in the foot with security. I would bet your attacker discovered your 365 subscription anniversary date months ago from some leakage and had it all planned. Ted -----Original Message----- From: PLUG <plug-boun...@lists.pdxlinux.org> On Behalf Of mo Sent: Friday, January 26, 2024 11:40 AM To: Portland Linux/Unix Group <plug@lists.pdxlinux.org> Subject: Re: [PLUG] virus check methods Unfortunately it passed all gsuite filters bc it's a real vendor we use & it had something we were awaiting (sign renewal docs). On Fri, Jan 26, 2024, 11:36 MC_Sequoia <mcsequ...@protonmail.com> wrote: > "1 of my vendors had their email compromised recently. the attacker > the sent out emails with docs to sign for renewals via ms office/outlook > links." > > Also, whatever your mail server situation is, whether it's a hosted > provider or in-house, I'd suggest looking into some kind of email > malware/spam scanner/filter such as Spam Assassin as well as other > doing everything you reasonable can to secure/harden your email server. > > It has been over a decade since I've done any of that, but it seems to > me that a lot of good work has been done in that area and this email > probably shouldn't have gotten through a current secured/hardened > email server blacklists, bayesian filters, domain keys, etc, etc. >