@analog_cafe oof - tbh, not sure if there was a specific "do this and they disappear" remedy, sorry. Things to harden your org however. Short run - make sure your EDR is clued in to the issue either via IOCs you can harvest from the phish, or if its a managed service letting them know. The 'sinister evolution' will likely take the shape of loading RATs on your endpoints (especially if you're passwordless), which seems to be next pivot when attackers cannot obtain credentials. Be cautious even with 'safe' tools that aren't specifically RATs like teamviewer, or screenconnect for example.Other measures - alert on anomalous login. activity. What is anomalous depends on your org, but if its just you, then I would start by alerting on odd geographic logins from unexpected IPs/ASNs, novel UAs, even things outside of 'normal' business hours might be helpful. If you don't have that kind of telemetry then that's a good starting point. Also alerting on account changes; such as new forwarding rules is a great way to detect compromiseBlocking on known bad indicators such as sendgrid will stem the issue for a bit, but attackers pivot, so its a bit of whack-a-mole. But if you're small enough, and whack enough moles, the attackers leave for easier targets. Unfortunately - one compromise makes never going away worth it. Likely you're already doing this, but strictly segregate and harden (MFA, alerting etc) your admin accounts from your user accounts - if attackers compromise your user account they won't get the keys to the whole kingdom.That's simply the low hanging fruit, I am certainly more capable security folks will chime in, but hopefully this get you to a relatively safe place.Hope this is helpful but otherwise good luck!
A
