Recommended Steps when a User's Account is Compromised

Access to Office 365 mailboxes, data and other services, is controlled through the use of credentials. When someone other than the intended user steals those credentials, the stolen credentials are considered compromised.

With them the attacker can sign in as the original user and perform illicit actions. Using the stolen credentials, the attacker can access the user’s Office 365 mailbox, SharePoint folders, or files in the user's OneDrive. One action commonly seen is the attacker sending emails as the original user to recipients both inside and outside of the organization. When the attacker emails data to external recipients.

Users might notice and report unusual activity in their Office 365 mailboxes. Here are some common symptoms:

  • Suspicious activity, such as missing or deleted emails.
  • Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
  • The presence of inbox rules that weren't created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the NotesJunk Email, or RSS Subscriptions folders.
  • The user's display name might be changed in the Global Address List.
  • The user's mailbox is blocked from sending email.
  • The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web contain common hacked-account messages, such as "Help! I need money!"
  • An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.

If a user reports any of the above symptoms, you should perform further investigation. The Microsoft 365 Security & Compliance Center and the Azure Portal offer tools to help you investigate the activity of a user account that you suspect may be compromised.

Even after you've regained access to your account, the attacker may have added back-door entries that enable the attacker to resume control of the account.

If your an account has been compromised in your tenant, we have recommendations that you can take to mitigate the issue. You will want to login to and perform the following steps:

  1. Immediately reset the users password and block the account from being able to sign in.

    Make sure that the password is strong and that it contains upper and lowercase letters, at least one number, and at least one special character.

    Don't reuse any of your last five passwords. Even though the password history requirement lets you reuse a more recent password, you should select something that the attacker can't guess.

    If your on-premises identity is federated with Office 365, you must change your password on-premises, and then you must notify your administrator of the compromise.

    DO NOT send the new password to the intended user through email as the attacker still has access to the mailbox at this point.

  2. Remove any suspicious email forwarding set on the mailbox.

  3. Disable any suspicious inbox rules on the users mailbox.

  4. Scan any devices that have been accessed by the users mailbox with your anti-virus software.

  5. If the suspected compromised mailbox was used illicitly to send spam email, it is likely that the mailbox has been blocked from sending mail. You will need to go to the Exchange Admin Center > Protection > Action Center and select the user and click unblock.

    We also recommend enabling  multi-factor authentication for your tenant,  especially for admin accounts.
    If you have any other security concerns, we recommend reaching out to your accounts manager to discuss your options.