Compromised Account Guide

A compromised account is an account for which someone other than the owner/delegate of the account has access to the username and password. Often, the credentials are used for the purpose of sending spam from a legitimate looking source (you!). You should never share your password, even with another campus member (see SF State Password Policy).

SF State works diligently to prevent credential theft and we recommend all users review procedures and actively work to protect themselves and the university. But when a compromise occurs, steps need to be taken to protect not only the university's data, but your data as well.

Procedure for Current Faculty, Staff, and Community Member Primary Accounts

SF State's IT staff is highly aware there are times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid and that your directory listing includes your phone number.

 

 

 

 

  1. ITS will lock your account and administratively change the password, Microsoft will stop the account from sending email
  2. If outbound spam contains a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
  3. A request for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
  4. IT staff will work with you to scan and, if necessary, clean your computer(s) and devices. (Note: this may require clean-up actions be performed on personally-owned devices.)
  5. IT staff will help you perform a root cause analysis to determine how the account was compromised
  6. IT staff will verify that clean-up has been performed on all devices used to access the account
  7. ITS will unlock the account - you may now change your password and re-access SF State services
  8. ITS will request that Microsoft remove the block from your account, allowing email to be sent to non-SF State addresses
  9. IT staff will help you complete and submit an Incident Report

Procedure for Secondary, Departmental, Student, and Emeritus Accounts

SF State's IT staff is highly aware there are times of year when having an account locked can cause excessive hardship (e.g., registration, grading, finals, drop/add days). If circumstances force the locking of an account during these critical times, additional outreach will be attempted and we will do our utmost to resolve account issues quickly. To make sure you receive all communication, please verify that your external email address is valid.

 

 

 

Please note: If it is determined that your account has access to secure resources or confidential data, the compromised account procedure for a primary account may be used.

  1. ITS will lock your account and administratively change the password
  2. If outbound spam contains a link, ITS will request the link be blocked at the SF State firewall and via online safe-browsing tools
  3. A request for computer virus/malware scanning will be made on your behalf to your local IT staff (for users without local IT staff, the request will be sent to the ITS Help Desk)
  4. IT staff will work with you to scan and, if necessary, clean your computer(s) and devices (Note: this may require clean-up actions be performed on personally-owned devices)
  5. IT staff will verify that clean-up has been performed on all devices used to access the account
  6. ITS will unlock the account - you may now change your password and re-access SF State services

Altered Email Account Settings

Altered email account settings can prevent you from sending or receiving emails even after your account has been cleaned. Please follow the steps listed below to check your SF State settings to ensure that whoever had access to your account did not alter your settings. The settings you should check are Inbox Rules, Forwarding, and Blocked Senders. Please feel free to contact the ITS Service Desk if you would like any assistance with this process.

Inbox Rules:

  1. Go to your SF State email at https://outlook.office.com/
  2. Login using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "inbox"
  5. Select the first search result which should be "Inbox Rules"
  6. On the Rules page, remove any rules that you did not create by selecting the trash icon to the right of the rule
  7. Save your changes

Forwarding:

  1. Go to your SF State email at https://outlook.office.com/
  2. Login using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "forwarding"
  5. Select the first search result which should be "Forwarding"
  6. If forwarding is enabled and you would like to disable it, uncheck "Enable forwarding"
  7. Save your changes

Blocked Senders:

  1. Go to your SF State email at https://outlook.office.com/
  2. Login using your SF State ID or email and your SF State password
  3. Once in your inbox, click on the gear icon at the top right to open the Settings panel
  4. Use the search bar under Settings on the right panel to search "block"
  5. Select the first search result which should be "Blocked Senders and Domains"
  6. On the Blocked Senders page, see if there are any senders listed in the Blocked Senders table that you would like to allow
  7. Remove the address or addresses from your blocked list by selecting the trash icon to the right of the email address
  8. Go to the Filters section fo the Junk Email page and make sure that the top checkbox is unchecked (Only trust email from addresses in your Safe senders and domains list and safe mailing lists)
  9. Save your changes

Public Credential Posting

Most compromised accounts are reported via tools such as Microsoft's Anti-Spam utility. For reports originating from the public posting of credentials or from a source that cannot be verified, the following procedure will be used:

  1. ITS will notify you that you need to immediately change your password. If you cannot be reached and/or the password is not updated within 4 hours, the password will be administratively changed to protect your personal information
  2. You can change your password and re-access SF State services

Spoofed Accounts

Spoofing is annoying, but is not actually the result of compromised credentials. When a scammer creates a spam message, they can set a 'reply-to' address other than their own. They use an email address that will help make the message appear legitimate. Unfortunately, this often causes the address they have used to receive a large number of undeliverable notifications. Because there are no compromised credentials and the messages do not originate from SF State's servers, there is no way to stop these messages. If your account has been used in a spoof and you have more than 2000 undeliverable notifications, please open a service request for information on using mail rules to delete the messages.