So – you’ve got your email all set up with a really complex password, you’ve got your computers protected with high end anti-malware software and you have your firewalls all set up. All of a sudden you’re getting phone calls from your customers – “Hey, did you send this email with a link to download a file?”
The answer is – no you didn’t, and yes you did! WHAT???
You’ve been hacked – but not really. A hack is when someone, the hacker, breaks in to your computer or server and takes the information he needs. What has happened here is not a hack. Let me explain.
At some time in the past – it could be yesterday or it could have been a year ago – you got an email from someone you know. It’s telling you there is a file, an invoice, a picture or any number of things, that you need to download. You recognize the sender so you click on the link. You are taken to a page that asks you for your email address and email password to download the file. You enter the requested credentials and nothing happens. You may try again or you may give up. You may reply to the original email, but you never hear back from the sender. You forget about it.
And now you’re in trouble.
What you’ve done is given the perpetrator everything he needs to program his computer to do all sorts of nasty things. Without any effort he has the keys to the kingdom, and he does the following – this is assuming you are using a Microsoft Exchange server – such as Microsoft 365:
First – the perp programs their Outlook with your email and password. He now sees everything you see in your Outlook. Your emails, contacts, calendar, notes – everything.
Next – he creates a server based rule that works on all incoming email, marking it as read and moving it to your deleted items folder. This way you don’t see any emails that come in – including any replay to the emails you will be sending.
Now he exports a copy of your mailbox – emails, calendar, contacts, note – everything – to a local storage folder so they can go over it at their leisure.
Finally, they create a new email that is sent to everyone in your contact list. This email will look like it came from you because it did come from you. Remember, he is using your credentials to log in to the email server as you, so the emails do come from you! The email will tell the recipient you have a file for them to download. Sound familiar? It is how the perpetrator perpetuates his scam.
So now your email account is sending out emails one at a time, hundreds every minute, to your contacts. You wouldn’t know unless you looked at your sent items. You don’t even have to be on your computer, the ‘bad guy’ is logged in to your account from his computer.
How do we stop the phony email from going out and fix your Outlook?
The very first step is to change your email password. This will stop the emails from going out from the perps computer either immediately or very quickly. If your email is hosted from Microsoft you can log in to your account online and force all connections to your email to be disconnected.
The next thing you need to do is stop the forwarding of email to your deleted items. You need to go to the rules section of your Outlook and look for and delete the rule. If it’s not in your Outlook then the rule is on the server. If you are using Office 365 then you need to have your email administrator to go to the Exchange admin account and remove the rule there.
Now the hard part comes – if you look in your sent items you will see ALL the emails that were sent. Depending on your contact list – it could be a short list or thousands. It’s difficult if not impossible to contact everyone who may have received your bogus email. It won’t happen before at least some of them have shared their own credentials. Be prepared to share these instructions so they can stop the process on their email.