I recently helped a small non-profit recover from a disgruntled director hijacking their O365 tenant and domains, they were able to do this since they were a Global Admin for their tenant. This post is about what happened, from a O365\domain stand point only, and as a warning to other orgs out there.
When I was contacted by the interim director of the org I was asked to see what the ex-director had done. I quickly found out I was unable to login to their O365 tenant. I then tried a couple of other, test, accounts I had and none of them worked. My next step was to try to login to their GoDaddy account, but that also failed.
So I called Microsoft O365 support… And waited… And waited… When I got someone I described the issue to them, was transferred and repeated this to a few different people, before getting to the data protection team. As suspected, they wanted to verify who I was and the only method they would use was a domain validation (DNS record), since my account and any other account I had access to no longer existed. Because I didn’t have access to the GoDaddy account, where DNS was hosted, I had no way to validate I was the actual admin\owner of the domain. In addition, their policies require that they contact all Global Admins before doing anything else. Since the disgruntled ex-employee was the only Global Admin left I knew this wouldn’t help.
So I called GoDaddy. Since I didn’t have the password or call in PIN #, which were changed by the ex-employee, they initially said they couldn’t help. But I then got transferred to a manager and we went over the issue further. He said if we could get the domain record owner, the domain register contact, to send in a copy of their photo ID and a letter on the non-profit their letterhead he would reset the password. The problem with this is that the domain contact was a person who setup the domain years ago. The contact number for him was the number for the non-profit. So I sent him an email explaining the situation and asked him to contact me for more details, which I never heard back on.
So after spending a few hours with O365 and GoDaddy support I was dead in the water with this issue.
I called back the interim director and told her that currently I was stuck and asked about getting the passwords from the ex-employee. She let me know that they had already had a lawyer write up a letter to the ex-employee and it was to be delivered that day by certified carrier. She had until noon the next day to turn over several items she took and any passwords. If she did not the org was going to file charges against her for theft and other offences. So we decided to wait it out to see if she would turn over the passwords. The only other alternatives we had was to call back O365 & GoDaddy support and beg them to help us further and hope that the person that registered the domain years ago would help also.
Luckily, the ex-employee turned over the passwords to GoDaddy & her O365 account the next day.
With the new passwords, I logged into GoDaddy and did the following:
- Change the password on the account
- Change the contact info to my name, as the technical lead for the org
- Setup delegated access to my primary GoDaddy account
- Changed the contact info on the domain to me as primary & technical contact and the interim director for the administrative contact.
- Setup two-factor authentication to my cell phone
- Setup a new PIN
- I then shared the new login info and PIN with the interim director
On O365, I setup an account for me, recovered the other accounts this person has deleted and granted the interim director Global Admin rights also. The last I did just in case I got hit by a bus.
- Make sure your domain(s) contact info is current and multiple trusted parties are listed on it
- Set the password on your domain account to something complex and save it in a safe place
- A safe place could be a piece of paper in a safe that only a few people have access to or better a password saving tool, like LastPass, that only a VERY few people have access to.
- Setup alerts, if possible, so key people are notified when the password is changed on the domain hosting account and when settings are changed on the DNS and\or hosting account
- Have at least two accounts with Global Admin rights that admin have access to and another with a password that is stored in a safe place, that management can access if needed
With access recovered I then recovered the deleted accounts & mailboxes, which just took a few click at https://portal.office.com/AdminPortal/Home by going to Users\Deleted Users and click the users and clicking Restore. By default, O365 will keep deleted users and mailbox for 30 days.
With the deleted mailboxes recovered I then delegated access to the ex-director’s mailbox to the interim director and ask her to look it over. She got back to me and told me there were very few emails in it. So I assumed the ex-director deleted email. But since this org was using the free O365 for Non-profit E1 we had no access to the eDiscovery tools to search or put mailboxes on retention old. So with authorization, I upgraded the ex-director’s account to an E3 license, which includes eDiscovery support.
After searching her mailbox, I found many hard deleted items. I placed the mailbox on retention hold, exported the search results to the Discovery mailbox and exported her entire mailbox, including deleted items to a PST file. The PST file provided a better format since it kept folder structure, even deleted ones in tack. With the Discovery mailbox all results are dumped into a single folder.
I plan on making a post that goes into more details on the eDiscovery processes I used above soon.