DepEDs Active Directory Breached ?

I am following the breaking story and “yet to be verified reports” that the Philippine DepED (Department of Education)’s Azure hosted Active directory service was breached.

A bit of background details about the incident:

MB Tech Editor Manong Art Samaniego Jr.’s post

However, sources inside DepED showed that login attacks have been flooding their network since Friday. This was strange, for if the hackers were able to steal the credentials, we shouldn’t see failed log in attempts like this log below:

Hackers targetting the Admin and other key accounts

Others doubt the veracity of the ‘alleged’ breach. For one, the hacker (Pigeon) himself posted that he was “locked out”. It seems the hacker was blocked before more damage could be done. However it does appear that Pigeon (the threat actor) was successful at AD enumeration:

Source: Lead Threat Intel Analyst from Red Rock IT Security (a local IT security firm)

How was it done? The hacker (Pigeon) was likely to have enumerated the AD devices in a similar fashion as this:

Make no mistake, the breach did enable the hacker to gain vital information that could potentially lead to future compromise. So for the rest of us, here is what we can do in such a situation.

The Incident Response Plan

For companies that suffered an AD (Active Directory) breach, here is a simple Incident response plan for handling such incidents:


  • The key stakeholders are aware of the incident response plan and their role in the process.
  • Regularly review and test the incident response plan to ensure it is up-to-date and effective.


  • Investigate any incidents that are identified and determine if a breach has occurred. Typically you would first see a lot of failed attempts first. But where the AD was compromised (as claimed by the hackers), you should see more “successful” logins coming from unusual locations (IP addresses).
  • Document the incident, including the date and time of the breach, the type of breach, and any information about the potential impact.


a. two-factor authentication or access controls, to prevent further breaches. Ironically, google authenticator is a good solution to this Microsoft Azure breach. This is critical if it can be quickly implemented (without the usual need for bidding and other govt red tape)

b. Limit access to Philippine IPs — if possible, limit it to ONLY the DepED admin NOC IP block. While this control will severely affect access by even the legitimate users, it will at least “keep the dogs out”. It will somewhat limit the damage by denying access to foreign actors.

c. Invalidate all passwords by requiring all users to “change password” on their next login. This forces a change in credentials and neutralizes the info in hackers’ hands. And while we are at it, why not enable the complexity and password length requirement in AD? (see pic)

  • Look for any signs of lateral movements. Examine DNS query logs for clues into which client side IPs/accounts are affected. Hint: malware infected users’ devices will typically ‘call home’ to the malware command and control systems (C&C). This usually involves query to the DNS (Domain Name Service) to resolve the synthetic GANs.


Weak or easily guessable passwords: If users have weak or easily guessable passwords, it can make it easier for attackers to gain unauthorized access to AAD.

Phishing attacks: Phishing attacks are a common method used by attackers to gain access to sensitive information. Users may inadvertently provide their AAD credentials to a phishing website.

Malware: Malware, such as viruses, trojans and ransomware, can infect systems and steal AAD credentials, allowing attackers to gain unauthorized access to sensitive data.

Insufficient access controls: If access controls are not properly configured, it can allow unauthorized users to access sensitive data in AAD.

Lack of multi-factor authentication: AAD can be configured to require multi-factor authentication, but if it is not enabled it can make it easier for attackers to gain access.

Vulnerabilities in third-party software: Vulnerabilities in third-party software, such as plugins and add-ons, can be exploited by attackers to gain access to AAD.

Employee/User negligence: Employee/User negligence can be a big cause, such as sharing credentials with unauthorized personnel, falling for phishing scams, or connecting to unsecured networks.

Brute force attacks on mail servers: users credentials in AD (Active Directory) are usually the SAME ones they use for their emails. I have seen state-sponsored hacking groups do a slow and low bruteforce attempts at mailservers. These attempts are not usually logged in windows event logs. See:

  • Remove any malicious actors or malware from the affected systems. Run Microsoft Malicious Removal Tool AND scan with your anti-virus software on ALL devices with an IP address: servers, desktops, mobile devices, CCTV/DVRs, IoT devices among others.


  • Review and update security controls and policies to prevent similar breaches in the future.
  • Communicate with affected parties and stakeholders to keep them informed of the situation and any actions taken to address it.
  • Remember to notify the Data Privacy Commission and the DICT cybercrime division of the breach. These are mandatory reportorial requirements for the handling of any breach.

Post-Incident Review:

  • Document any lessons learned and implement any necessary changes to the incident response plan.
  • Share the report with stakeholders and higher management to notify them about the incident, actions taken and future preventive measures.

As always, I welcome your insights and comments, specially if I missed important steps to be done in such an Incident response plan. Thanks for reading this to the end :)



Data Analyst, Startup Founder, Tech Columnist

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store