Summary Learn how to recognize and respond to a compromised email account in Office 365.
Access to Office 365 mailboxes, data and other services, is controlled through the use of credentials, for example, a user name and password or PIN. When someone other than the intended user steals those credentials, the stolen credentials are considered to be compromised. With them, the attacker can sign in as the original user and perform illicit actions. Using the stolen credentials, the attacker can access the user’s Office 365 mailbox, SharePoint folders, or files in the user’s OneDrive. One action commonly seen is the attacker sending emails as the original user to recipients both inside and outside of the organization. When the attacker emails data to external recipients, this is called data exfiltration.
Users might notice and report unusual activity in their Office 365 mailboxes. Here are some common symptoms:
If a user reports any of the above symptoms, you should perform further investigation. The Microsoft 365 Security & Compliance Center and the Azure Portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.
Even after you’ve regained access to your account, the attacker may have added back-door entries that enable the attacker to resume control of the account.
You must perform all the following steps to regain access to your account the sooner the better to make sure that the hijacker doesn’t resume control your account. These steps help you remove any back-door entries that the hijacker may have added to your account. After you perform these steps, we recommend that you run a virus scan to make sure that your computer isn’t compromised.
Do not send the new password to the intended user through email as the attacker still has access to the mailbox at this point.
It is highly recommended that you enable Multi-Factor Authentication (MFA) in order to prevent compromise, especially for accounts with administrative privileges. You can learn more here.
If the suspected compromised mailbox was used illicitly to send spam email, it is likely that the mailbox has been blocked from sending mail.
You can block the suspected compromised account from signing-in until you believe it is safe to re-enable access.
Administrative role group membership can be restored after the account has been secured.
Your Office 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the Office 365 security roadmap: Top priorities for the first 30 days, 90 days, and beyond to implement Microsoft recommended best practices for securing your Office 365 tenant.