Imagine logging into your Microsoft 365 account only to discover unfamiliar activities — a nightmare scenario for anyone reliant on digital communication. In our hyper-connected world, the security of your online accounts is paramount. When the unexpected happens, and your Microsoft 365 account falls into the wrong hands, knowing how to swiftly navigate through the crisis is crucial.
Recognizing the Symptoms of a Compromised Microsoft Email Account
Be alert for unusual activity in your Microsoft 365 mailboxes, such as:
Missing or deleted emails.
Emails sent from your account that are not in your Sent Items folder.
Unfamiliar inbox rules, possibly forwarding emails to unknown addresses.
Changes in your display name in the Global Address List.
Your mailbox being blocked from sending email.
Suspicious messages in your Sent Items or Deleted Items folders.
Unusual profile changes (name, phone number, postal code).
Frequent password changes.
Newly added mail forwarding or unusual signatures.
If users report unusual activities in their Microsoft 365 mailboxes, it's vital to investigate for a potential account compromise. The Microsoft Defender portal and Microsoft Entra admin center provide tools to assist in this investigation:
Unified Audit Logs in Microsoft Defender Portal: Use these logs to track activities. Filter logs from just before the suspicious activity started up to the present. Avoid filtering for specific activities initially. More details can be found in the 'Search the audit log' section.
Microsoft Entra Sign-In Logs and Risk Reports: In the Microsoft Entra admin center, closely examine the following to spot anomalies:
IP addresses associated with sign-ins.
Locations from where the sign-ins occurred.
Times of these sign-ins.
Success or failure of the sign-ins.
Securing and Restoring Email Function to a Compromised Microsoft 365 Account
Step 1: Reset the User's Password and Sign out of all sessions
Change the account password immediately, avoiding sending it via email and initiate sign out of the user from Microsoft 365. Use a strong, unique password, and update app passwords. Enable multi-factor authentication (MFA) for added security.
Step 2: Remove Suspicious Email Forwarding Addresses
Check for unauthorized email forwarding in the Microsoft 365 admin center and remove it.
Microsoft 365 admin center > Users > Active users > select the user account and click the Mail tab > Manage email forwarding
Step 3: Disable Suspicious Inbox Rules
Access the user's mailbox via Outlook on the web, review inbox rules, and disable or delete any suspicious ones.
Sign in to the user's mailbox using Outlook on the web.
Select Settings (gear icon), enter 'rules' in the Search box, and then select Inbox rules from the results.
On the Rules tab of the flyout that opens, review the existing rules, and turn off or delete any suspicious rules.
Step 4: Unblock the User from Sending Mail
If the account was blocked from sending mail, unblock it by visiting the Restricted Entities page at https://security.microsoft.com/restrictedentities
Step 5: Optional - Block the User Account from Signing In
Temporarily block the account in the Microsoft 365 admin center to prevent access until it's safe.
Step 6: Optional - Remove the Account from Administrative Role Groups
Remove the compromised account from all administrative role groups to prevent further misuse.
Step 7: Optional - Additional Precautionary Steps
Check the Sent items folder for any unusual activity. Inform your contacts about the compromise, especially if suspicious emails were sent from your account. Also, check other services that use the compromised account as an alternative email.
These steps are vital in fully restoring and securing your Microsoft 365 account and mailbox after a breach.
To help you to have peace of mind knowing your business is secure, click here to schedule a Microsoft 365 Secure Score review with our experts today. We'll evaluate your current cybersecurity measures, identify potential vulnerabilities, and help you implement a strategic security plan to keep your company safe.