The risk is real for SMBs

• 43 % of cyber-attacks now target small and midsize businesses.

• 61 % of SMBs are hit at least once a year.

• The average breach bill tops $3.31 million, and most of that loss starts piling up in the first eight hours after a mailbox is hijacked.

A clear recovery playbook—backed by Microsoft best-practice—turns panic into a 30-minute fix.

Signs your Microsoft 365 mailbox may be compromised

One or more of the following behaviors usually points to a hijacked account:

• Mailbox suddenly blocked from sending mail.

• Missing or deleted messages or mail appearing in unexpected folders.

• New Inbox rules that auto-forward messages to unknown addresses or shuffle mail into Junk, Notes, or RSS.

• Suspicious items in Sent Items or Deleted Items—for example, "I’m stranded overseas, please wire funds".

• Unexpected changes to the user’s GAL profile, such as name, phone number, or address edits.

• Frequent password resets or account lock-outs the user didn’t trigger.

• Recently enabled external forwarding on the mailbox.

• Unfamiliar email signatures, like fake banking or prescription-drug promos.

If you notice any of these symptoms, use the recovery steps in the next section to quickly recover a compromised email account and lock attackers out.

Rapid-response checklist to Recover a Compromised Email Account

1. Disable sign-in Block the account so no new sessions can start: Microsoft 365 admin portal > Users > Active users page > Select the name of the employee that you want to block, and select Block sign-in > select Block this user from signing in > Save changes.

2. Reset password and revoke sessions When you reset the password, you force a sign out of the user from Microsoft 365: Microsoft 365 admin portal > Users > Active users page > Select the username > select Reset password.

3. Remove malicious rules and forwarding Delete inbox or forwarding rules the attacker created:

- Sign in to the user's mailbox using Outlook on the web.

- Select Settings, enter 'rules' in the Search settings box, and then select Inbox rules in the results.

- On the Rules flyout that opens, review the existing rules, and turn off or delete any suspicious rules.

4. Reset multifactor authentication Force the user to set up fresh MFA methods: Entra admin center > All users > Select the username > Authentication methods > Require re-register multifactor authentication

5. Review user-consented applications See Microsoft’s guidance on detecting and remediating illicit consent grants: https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-illicit-consent-grants#what-does-an-illicit-consent-grant-attack-look-like-in-microsoft-365

6. Search audit and sign-in logs Review recent actions and sign-ins for anything out of the ordinary: Microsoft Purview portal > View all solutions > Audit.

7. Update Conditional Access policies Make sure the account is covered by MFA and compliant-device policies, and remove any unnecessary exclusions: Entra admin center > Protection > Conditional Access > Policies.

8. Validate recovery and document Have the user sign in—confirm the new password prompt, MFA challenge, and absence of rogue rules—then record the incident details and lessons learned.

How PlexHosted Enhances Your Microsoft 365 Security Posture

PlexHosted secures your Microsoft 365 and Intune environment from setup to audit. We design the security plan, configure best-practice controls, and keep your workspace ready for third-party review—freeing you to focus on the business, not the threats.