Compromised Account Guide

A compromised account is an account for which someone other than the owner/delegate of the account has access to the username and password (credentials). Often, the compromised credentials are used to gain access to an email account for sending spam or phishing messages from a legitimate looking source (you!). You should never share your password, even with another campus member (see SF State Password Policy).

SF State works diligently to prevent credential theft and we recommend all users review procedures and actively work to protect themselves and the university. SF State offers two-factor authentication (2FA) to protect user accounts. The additional security prevents unauthorized persons from accessing data or systems even if they know valid stolen credentials.

It is important that all users have a valid external email address on file that becomes the main communications channel when an SF State account is compromised.

When an account compromise does occur, steps need to be taken to protect not only the university's data, but your data as well.

Procedure for Current Faculty, Staff, and Community Member Primary Accounts

SF State's IT staff are highly aware of the times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid and that your directory listing includes your phone number.

SF State is in the process of onboarding all users to 2FA, but until that occurs any primary account belonging to staff/faculty or community member that is compromised will be opted-in early to the 2FA service.

 

 

 

 

 

  1. ITS will lock your account and administratively change the password, and Microsoft will stop the account from sending email.
  2. If spam contains a link, ITS will request the link be blocked where it makes sense to do so and submit a request to have the email removed from other SF State email boxes if it appears that the phishing attack was sent to many users. ITS will also submit an abuse request to the web hosting service provider to take down the malicious web page.
  3. A request for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk).
  4. IT staff will work with you to scan and, if necessary, clean your computer(s) and devices. (Note: this may require clean-up actions be performed on personally-owned devices.)
  5. IT staff will help you perform a root cause analysis to determine how the account was compromised.
  6. IT staff will verify that clean-up has been performed on all devices used to access the account. IT staff may also ask you to change other credentials not associated with SF State, such as for social media sites.
  7. ITS will unlock the account - you may now change your password and re-access SF State services. You should also look through your email account and make sure there are no forwarding rules in place that you did not set up. More details below.
  8. If the user account is not protected with 2FA, the user account will be onboarded to the 2FA service.
  9. ITS will request that Microsoft remove the block from your account, allowing email to be sent to non-SF State addresses.
  10. IT staff will help you complete and submit an Incident Report.

Procedure for Secondary, Departmental, Student, and Emeritus Accounts

SF State's IT staff are highly aware there are times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid and that your directory listing includes your phone number.

 

 

 

Please note: If it is determined that your account has access to secure resources or confidential data, the compromised account procedure for a primary account may be used.

  1. ITS will lock your account and administratively change the password.
  2. If spam contains a link, ITS will request the link be blocked where it makes sense to do so and submit a request to have the email removed from other SF State email boxes if it appears that the phishing attack was sent to many users. ITS will also submit an abuse request to the web hosting service provider to take down the malicious web page.
  3. A request for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk).
  4. IT staff will verify that clean-up has been performed on all devices used to access the account. IT staff may also ask you to change other credentials not associated with SF State, such as for social media accounts.
  5. ITS will unlock the account - you may now change your password and re-access SF State services. You should look through your email account and make sure there are no forwarding rules in place that you did not set up. More details below.
  6. If the user account has been compromised multiple times (more than 3 in the last 90 days), the user account may be on-boarded to the 2FA service.

Altered Email Account Settings

Altered email account settings can prevent you from sending or receiving emails even after your account has been cleaned. Please follow the steps listed below to check your SF State settings to ensure that whoever had access to your account did not alter your settings. The settings you should check are Inbox Rules, Forwarding, and Blocked Senders. Please feel free to contact the ITS Service Desk if you would like any assistance with this process.

Inbox Rules:

  1. Go to your SF State email at https://outlook.office365.com/
  2. Log in using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "inbox"
  5. Select the first search result which should be "Inbox Rules"
  6. On the Rules page, remove any rules that you did not create by selecting the trash icon to the right of the rule
  7. Save your changes

Forwarding:

  1. Go to your SF State email at https://outlook.office365.com/
  2. Login using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "forwarding"
  5. Select the first search result which should be "Forwarding"
  6. If forwarding is enabled and you would like to disable it, uncheck "Enable forwarding"
  7. Save your changes

Blocked Senders:

  1. Go to your SF State email at https://outlook.office365.com/
  2. Login using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "block"
  5. Select the first search result which should be "Blocked Senders and Domains"
  6. On the Blocked Senders page, see if there are any senders listed in the Blocked Senders table that you would like to allow
  7. Remove the address or addresses from your blocked list by selecting the trash icon to the right of the email address
  8. Go to the Filters section of the Junk Email page and make sure that the top checkbox is unchecked (Only trust email from addresses in your Safe senders and domains list and safe mailing lists)
  9. Save your changes

How Are Compromised Credentials Identified?

Many compromised accounts are reported via tools such as: Microsoft's Anti-Spam utility; Office 365 security reports; and LogRhythm security log analysis. For reports originating from the public posting of credentials or from a source that cannot be verified, the following procedure will be used:

  1. ITS will notify you that you need to immediately change your password. If you cannot be reached and/or the password is not updated within 4 hours, the password will be administratively changed to protect your personal information.
  2. You can change your password and re-access SF State services.

Spoofed Accounts

Spoofing is annoying, but is not actually the result of compromised credentials. When a scammer creates a spam message, they can set a 'reply-to' address other than their own. They use an email address that will help make the message appear legitimate. Unfortunately, this often causes the address they have used to receive a large number of undeliverable notifications. Because there are no compromised credentials and the messages do not originate from SF State's servers, there is no way to stop these messages. If your account has been used in a spoof and you have more than 2000 undeliverable notifications, please open a service request for information on using mail rules to delete the messages.