Hey Jane, Thanks for your follow up and many apologies for the delayed reply; in regards to your question it appears to be a hack of the Exchange Server and a guess that the password for his DropBox and O365 was the same. I will stress that it is still relevant due to the repeated MO involving DropBox. This from our IT Helpdesk to further explain: We've been working through the logs this afternoon and can now confirm what occurred. We can confirm that CEOs Office 365 account was compromised at 8:59am this morning with an unknown user from South Africa logging in. Once they had access to the O365 account, they also had access to all his contact lists. At 10:57am they have set a rule on the mailbox to move all mail from the Inbox to the "RSS Subscriptions" folder. Once this rule was in place, they were able to access his Dropbox account, and in doing so shared out a file from another account as CEO to his entire contact list. This was the email that was then received by everyone and I can confirm originated from Dropbox's servers based off the mail headers. Prior to me talking to CEO when this all occurred, he had already reset his password which also updated O365, effectively locking them out. Regarding the Dropbox account - we are still waiting to hear back from their support in order to get the Password Reset email through so we can secure that part. As it is a free account we are unable to contact them via phone - that is only an option for Business plan accounts. In regards to your questions Jane: 1. Yes, we now know how 2. As above but not that the PDF did not exist proir to the hack, the perpetraors set it up - we still don't know what it does. IT didn't think it allowed key logging even though the CEO clicked on an identical PDF link in a DropBox email from someone else. Still a mystery if there was a direct link between the 2. 3. As above explains the absence of Malware or Viruses. IT was able to access his account via the desktop app that was still signed in. One thing that IT could have done better that I will share is this: as soon as they logged in to the account they deleted the PDF file before checking who it was shared with, getting this list would have allowed us to send out an email warning those who where sent the spam that they need to change their passwords (and we are sorry, please stop calling us) I recieved a similar email a couple of days later from the DropBox of the company that sent our CEO the original dodgy PDF link. I have never had and contact with them before so they are obvioulsy compounding their spam lists. The naming format for the PDF was consistant: Name of Company Payment and Draft Proposal.pdf and indicated that the sender had "shared this file with you" in the standard DropBox share delivery.
... View more
Boss clicked on pdf link in dropbox email from recognised address
1 week later spams a similar link from his dropbox account
Recipient emails have been harvested from our Outlook Exchange system
So hundreds of people FROM OUR OUTLOOK EXCHANGE directory just got spammed FROM the CEO's DropBox account.
Yes we checked the email headers, it wasn't a spam email dressed up to look like a DropBox email it was legit from within his (free) account.
We have been able to login via the app and remove the file (I.T. forgot to look up who it was sent to first so we coudn't send an apology / ask everyone to stop calling us) but no doubt it has spread.
SO the CEO clicked on a similiar dropbox originated file link from someone last week, so no mystery as to how it came about. What I am baffled by is how it is possible that it was able to find a list of ALL our outbound email addresses, from all the accounts in the building, and send off email FROM WITHIN THE CEOs DROPBOX account? These aren't even contact list email addresses, so of these have only ever appeared in BCC fields!
I.T. has scanned the CEOs computer and found NO Malware, so we don't even know what we need to tell the poor people who have clicked on the link before we managed to delete the file. We don't know what to look for...
DropBox have estimated a timely 72 hour response time :( , so anyone with any intel on what this is, how it jumped in to and then out of exchange with a bunch of email addresses and where it might be hiding on the system would be our personal hero right now.
If DropBox picks up on this: We can't get into the CEOs account via browser, retrieve password not working. We were only able to delete the PDF becuase he was still logged into the app. Can you get us in?
We would love to be able to email everyone who the PDF was shared with but I.T. deleted it and removed it from the trash.
If you can let us know how this happened on a technical level that would be great..
... View more