[RKDinOKC]

Our last two password hacks were Microsoft Dynamics CRM users. Most all of the CRM stuff is managed thru web browser to 365. They either didn't log out, or didn't log out and close that browser window before surfing. Their password was gotten thru an ad on a web page scraping their browser window cache.

The hackers were real sneaky too. They would send out a spam to a big list, and add a rule that put all the non-delivery reports and replies in their trash. Then they would go thru and delete the sent item, and the users trash folder. Found the evidence by recovering deleted items. Searched mailboxes for rules and found a couple more users that had the rules added but had not be targeted to send from yet.

Changed all the CRM users passwords, but management still wouldn't let me set the CRM users to use MFA. So sometimes it's not all on the users.

Have turned on logging so get a list of logins and IP address to look thru every once in a while to see if they are accessed from anywhere weird. Would block countries like Nigeria, but hackers are using VPNs. Would like to limit the IPs users can access their work stuff from, but that costs a lot since all users would need to have a Azure license. Comes up to about $60K.