Host actively used as part of O365 Tenant Compromise between 1st June 2022 and 20th July 2022. Host ... show moreHost actively used as part of O365 Tenant Compromise between 1st June 2022 and 20th July 2022. Host is a RDP serverused by an attacker as origin host for attack. Attacker compromised user mail accounts, stole sensitive information, attempted to trick user into sending payment for supplier invoices to unknown bank account, after intercepting the users mail and changing the original suppliers email and invoice. The following is audit log sample with sensitive information redacted, attacker accessing and altering users' mail.
{"CreationTime":"2022-07-05T13:56:31","Id":"0abf17e0-a307-453c-8f31-08da5e8e2a21","Operation":"Update","RecordType":2,"ResultStatus":"Succeeded","Workload":"Exchange","ClientIP":"193.56.29.137","UserId":"***[email protected]************e.com","ClientIPAddress":"193.56.29.137","ClientInfoString":"Client=OWA;Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.62 Safari/537.36;","ExternalAccess":false,"LogonType":0,"LogonUserSid":"S-1-5-21-1**-REDACTED-**5"} show less
(smtpauth) Failed SMTP AUTH login from 193.56.29.137 (GB/United Kingdom/-): 1 in the last 3600 secs; ... show more(smtpauth) Failed SMTP AUTH login from 193.56.29.137 (GB/United Kingdom/-): 1 in the last 3600 secs; Ports: *; Direction: inout; Trigger: LF_TRIGGER; Logs: 2021-02-27 14:11:37 login authenticator failed for (win-jm5ndcqfsu3.domain) [193.56.29.137]: 535 Incorrect authentication data (set_id=%null%) show less
IP: 193.56.29.137
Ports affected
Simple Mail Transfer (25)
Abuse Confidenc ... show moreIP: 193.56.29.137
Ports affected
Simple Mail Transfer (25)
Abuse Confidence rating 37%
Found in DNSBL('s)
ASN Details
AS210228 Web Hosted Group Ltd
United Kingdom (GB)
CIDR 193.56.29.0/24
Log Date: 16/02/2021 6:59:55 PM UTC show less
United Kingdom of Great Britain and Northern Ireland