What Happened

On April 26, an unknown attacker sent malicious phishing emails using a compromised Robot Morning Exchange account.

No customer or vendor data was breached. Reasons customer/vendor data was not breached:

Robot Morning isolates customer data from Robot Morning data

Robot Morning isolates each customer's data from all other customers' data

Robot Morning restricts access to systems containing customer data

Our Research

Beginning April 20, 12:57 PM EST: There were several unauthorized logins to an employee's cloud Exchange account.

April 22 to 26: The attacker created email rules to trick the employee into believing that emails requesting internal Robot Morning changes were coming from another employee. The attacker viewed several internal Robot Morning files. The attacker did not have access to any customer or vendor data.

April 26: Using the compromised account, the attacker sent out just under 4,500 malicious emails to contacts in the user's contact list. In response, Robot Morning locked the account, quarantined the user's devices, and enabled additional monitoring of all accounts. Robot Morning contacted everyone who was sent an email to notify them of the breach and instruct them to not open these malicious emails.

April 26 to 29: Robot Morning's security team reset the user's credentials and began gathering evidence. After examining the user's devices for malware, the security team returned the devices to the user. The security team used system and application logs to piece together the attacker's activity over the course of the attack.

Our Response

In addition to conducting additional employee security training, Robot Morning found that we had not enabled multi-factor authentication for all Microsoft accounts. We have now enabled that authentication and are performing an audit of other systems to ensure that multi-factor authentication is enabled for those systems.