Open in app

Sign in

Write

Sign in

Outlook Hijacked: A Step-by-Step Recovery and Investigation

Devender Rao
4 min readMay 25, 2024

--

Story: I received a call from my friend in late evening, that his account was compromised. He added that he already changed the password and added 2FA(Authenticator Code) to his account, but attackers still had access to it.

The strange thing that was happening to him was that hundreds of emails were sent to other people's mail addresses from his account. The Attacker sends phishing emails from his mail account and acts as a Bot.

Note: He was using weak password, which results in account hijacked. So Use Complex Password or a Passphrase.

Getting in the Process:

I logged in to his account and started checking his account activity, I found some 10–20 login attempts a few were successful, and some were failed. So I searched one IP address on the VirusTotal and it was from Germany flagged as a Bruteforcing Server which was reported 200+ times.

Account Recovery:

I have checked the Outlook settings i.e. forwarding Rules, But all settings seem fine also I have chosen to log out from everywhere. But the emails are constantly sent to other person emails every second.

I have read about some community forums and Microsoft documentation, but everyone says

  • Change password
  • Add 2fa
  • Logout from everywhere

I started again from the beginning by checking the Activity and noticed there was one Session that says auto sync is enabled. This means once the service is connected, there is no need to connect it again and again even if you change the password it will remain connected to your account.

Recent Activity 1.
Sync Service

The Final Fix

From the Activity, I got that they are using the IMAP service which was enabled and we need to disable it for account recovery.

I reviewed the Sync Settings in Outlook and found that the POP and IMAP service was enabled and this is the main culprit here which was giving access to the attackers. I immediately disable this service and after a few minutes, the mailbox became silent.

Final Fix: Disabling the IMAP Service

Investigation :

Sweet Scammer

Now the account is fully recovered and secured, so I want to know what exactly the scammer wants to achieve after getting access to an account. All out-going emails are with mainly 3 Subject lines :

  • Money order found
  • New arrival
  • Financial department

The body part was also having similar info, i.e

To receive a money transfer Go to your personal account.
 
Open site. <- This is website link->

This is the basic structure of the emails which were sent.

( Approx every minute around 10–20 emails)

Phishing Email Analysis

The link was to a website, which just acts as a redirect domain, there are 5–10 different domains in all the emails but they were just for redirecting to save the final Domain from getting flagged as malicious.

Domains from the email:-
httpxx://malmyzh43.ru/go/url=-aHR0cHM6Ly91LnRvL2trZGJJQQ#aaPqkfmahHgYtLTLNWOhXFWvzhDErOJhAuselqydaMe
httpxx://h-freed.ru/go/url=-aHR0cHM6Ly91LnRvL2trZGJJQQ#XATKFjYxISXdYnwhWRtuiCrITkYEbvnMLwOoZHOMLaFhafV
httpxx://seopravda.ru/go.php?url=aHR0cHM6Ly91LnRvL2trZGJJQQ#hpHuLPLnROPqJOexhlJdNpnzbIDROeyhkclFcfsZySMKDGrAbIYTZpy
httpxx://diary-culture.ru/go/url=-aHR0cHM6Ly91LnRvL2trZGJJQQ#jOPAuAAJTkFtAcRZDmIJOCFYPRWyogECrM
httpxx://stomatolog-lux.ru/go/url=-aHR0cHM6Ly91LnRvL2trZGJJQQ#CsWKvJZaJFAzTodUTTDJlFhNzUzRmkSmXGYoXJElcjtfTAish
httpx://m.023meishu.com/url.php?url=aHR0cHM6Ly91LnRvL2trZGJJQQ#eutXtTtZukmWcKZMCArEcoTIgZgcADKjiZWpzMH
httpx://4wd-svs-russia.ru/go/url=-aHR0cHM6Ly91LnRvL2trZGJJQQ#SvmYYHVPxBieaXKYUERCvoeCKNPdjaTNcJCGmzBoWDsRKELLWd

Step 1. Redirect Domain

All domains will redirect to one domain which has a Continue button.

httpx://emara.ai/wp-content/mu-plugins/wpe-enige.html
Redirecting Domain

Step 2. Fake Security Alert

As basic, they try to mimic that your computer is affected and ask to Scan, and give warning that Your PC is infected.

Fake Alert
Renew Now!! Alert

Finally: Renew Now button

After 2–3 scans, they Asked to renew the antivirus and redirect to the TrendMicro Website. I got Confused, As this is the original Website of TrendMicro,

Why does a scammer redirect a User to the Original Website?

httpx://shop.in.trendmicro-apac.com/?clickid=Ssp0tN059xyKWW3WNjWFFSeGUkHQXrzNdQKyTo0&irgwc=1&irclickid=Ssp0tN059xyKWW3WNjWFFSeGUkHQXrzNdQKyTo0

It is confirmed that it is a legitimate domain, and not under the Attackers Umbrella.

Final Domain
Domain Details

# What’s the Catch here?

After checking the redirected URL, I came to a conclusion that they were using the Affiliate Program, which gives them a 20% Commission whenever any victim purchases the product from their link.

Commission Rates

I have seen many Phishing emails that try to ask for credit card, and banking information and steal money directly from them by tricking the User. But this is a nice trick to scam the users via purchasing Real products and getting Commission out of it.

Still, They are scamming Innocent persons with tricks like these.

I hope you have like this,

Stay Safe :)

Twitter: @root_rao

Phishing
Cybersecurity
Hacking
Microsoft
Bug Bounty

--

--

Devender Rao

Written by Devender Rao

18 Followers

Application Security Engineer

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams