Your Microsoft 365 Email Has Just Been Compromised. What Do You Do Now?
Discovering that your Microsoft 365 email has been compromised can be a stressful and urgent situation. Cybercriminals can use your email to steal sensitive information, send phishing emails, or even gain access to other business systems. If you suspect a breach, follow these critical steps to regain control and secure your account.
Notify Your IT Department or Provider
If you have any suspicion that your email has been compromised, it’s essential to notify IT as quickly as possible so they can act. The longer the bad actors have unrestricted access to your account, the more damage they can deal to your business and reputation. Your IT provider should be able to handle everything described below.
Block Sign-In for That User
This initial step is a precaution that prevents anyone from logging into the compromised account. However, it does not sign anyone out; that is another step. Blocking a user from signing in can occur in the Microsoft 365 Admin Portal or Entra ID Admin Portal.
Change Their Password
As soon as you suspect unauthorized access, change your password right away. Use a strong password that includes a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using common words or passwords you've used before. We prefer using passphrases instead of a random string of characters. You can do this from either the Microsoft 365 Admin Portal or Entra ID Admin Portal as well.
Sign Out of All Sessions
To prevent the attacker from maintaining access to the account, revoke all active sessions. You can do this in the Microsoft Entra ID portal by selecting Revoke Sessions at the User detail page.
Multifactor Authentication (MFA or 2FA)
If you haven't already, enable Multi-Factor Authentication (MFA) to add an extra layer of security. If MFA is already enabled (which is often the case), ensure that no unknown devices are listed as authentication methods in Microsoft Entra ID. Delete any unknown devices that you find.
Review Enterprise Applications
Attackers may register unauthorized applications to maintain persistent access to your account. These applications can act as backdoors, allowing them to regain access even after you change your password. To check for this, go to the Entra ID portal and navigate to Enterprise Applications.
Check and Remove Unauthorized Email Forwarding Rules
Cybercriminals often set up forwarding rules to send your emails to another address. To check for this:
- Open Outlook and go to Settings > Mail > Forwarding
- Remove any unknown forwarding addresses
- Also, check for hidden rules under Rules & Alerts that might be automatically deleting or forwarding emails.
Review Account Activity and Recent Sign-Ins
In Entra ID, you can view both audit logs and sign-in logs for users and applications. You’ll want to look for anything that looks suspicious in terms of what they are doing and where they are doing it from (IP address or location).
Inform Your Contacts
If your email has been used to send spam or phishing messages, inform your contacts as soon as possible. Let them know not to open suspicious emails, click on any links, or download attachments from your compromised account.
Now, How Do You Protect Your Microsoft 365 Accounts Going Forward?
Now that you have eliminated the immediate threat, what can you do to prevent this issue from happening again in the future?
Monitor Your Account and Set Up Alerts
Continuous monitoring for suspicious activity is key in quickly stopping any future incidents. You can create alerts for failed sign-in attempts, changes to email forwarding rules, unusual login locations, and more. Investing in an MDR (Managed Detection and Response) service for Microsoft 365 can handle all those tasks for you, and more. MDR also offers the benefit of being 24/7/365.
Conditional Access Policies
By enabling conditional access policies in your Microsoft environment, you can set rules to block access from untrusted locations, enforce device compliance, restrict access to specific apps, and set session control rules that dictate how often a logged-in user must re-authenticate when using certain devices.
Security Awareness Training
Regular education about the current cyber trends can go a long way in preventing this type of incident from recurring in the future. Training can help users recognize phishing attempts, understand social engineering tactics, reduce human error, and improve incident response. It’s also a good idea to instruct users not to enter their Microsoft credentials on any links or attachments they receive in their email without verbally verifying they are legitimate.
Need Some Assistance?
Dealing with this sort of incident can be stressful and daunting. If you’re unsure how to recover from an email compromise or want to better secure your Microsoft environment from future issues, feel free to reach out. We deal with this sort of thing every day, so we’re super familiar with it.
Recovering from a compromised Microsoft 365 email account requires swift action, but by following these steps, you can regain control and enhance your security. The key takeaway? Prevention is always better than recovery—implement strong security measures now to avoid future breaches!
Schedule a Consultation