General
This alarm is triggered when the account intended for emergencies is used.
Rationale
The emergency account has the highest privileges but no two-factor authentication. This is intentional, to provide a way to access the environment when the second factor method fails on a large scale. However, if there is no reason, the account should not be used. This makes any unplanned use of the account suspicious: the password may have fallen into the wrong hands.
Follow-up
Perform these steps to adequately follow up on this detection:
- Check with colleagues who have access to the login credentials of the emergency account if it was planned.
-
If not: consider the emergency account as compromised:
- Reset the password of the emergency account
- Revoke all logged-in sessions of the emergency account
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised since the executing user is a different person than the owner of the mailbox.
- If yes: close the Attic incident as resolved
Comments
0 comments
Please sign in to leave a comment.