Recommended steps to take if an account is compromised

Recommended steps to take if an account is compromised

Recommended steps to take if an account is compromised:
  1. Reset the user's password immediately. Do not communicate the new password through email to the end user.
    Enable Multi-Factor Authentication (MFA) to prevent compromised accounts, especially for accounts with administrative privileges. For more information, see Set up multi-factor authentication.
  2. Remove any suspicious forwarding addresses set at the mailbox level.
    Quick detection via powershell:
    Get-Mailbox -Identity test@itpartner365.com | FT UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward
  3. Remove any suspicious inbox rules set within the mailbox.
    Quick detection via powershell:
    Get-InboxRule -mailbox test@itpartner365.com | Where-object {$_.forwardto -or $_.forwardasattachmentto} | fl mailboxownerid,name,description
  4. Go to the Microsoft Defender portal at https://security.microsoft.com > Email & Collaboration > Review > Restricted users, or directly at https://security.microsoft.com/restrictedusers. If the user is on the list, select the user and then select Unblock. Follow the steps in the flyout pane, and then select Yes to confirm. The account should be able to send messages again, usually within an hour.
  5. Optional: Block the user account from signing-in
  6. Optional: Remove the suspected compromised account from all administrative role groups
  7. Optional: Additional precautionary steps:
    1. Verify the contents of the Sent items folder of the account in Outlook or Outlook on the web.
    2. You might need to inform people in your contacts list that your account was compromised. For example, the attacker might have sent messages asking your contacts for money, or the attacker might have sent a virus to hijack their computers.
    3. The accounts for any other services that use this account as an alternative email account might have also been compromised. After you do the steps in this article for the account in this Microsoft 365 organization, do these steps for your other accounts.
    4. Verify the contact information (for example, telephone numbers and addresses) of the account.

    • Related Articles

    • How to Record Steps to Reproduce a Problem on Windows

      If you encounter an issue on your Windows computer, you can use the Steps Recorder tool to document and share the problem with support teams. Here’s a simple guide to help you record and send the steps leading to the problem: Using Steps Recorder 1. ...

    • Open and use a shared mailbox in Outlook

      A shared mailbox makes it easy for a group of people to monitor and send email from a public email alias like info@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared ...

    • Update the license count

      This short guide is designed to help you increase or decrease the number of licenses in your tenant. Here we describe step by step all the actions you need on the portal. 1. Go to the website https://portal.o365hq.com/ and log in using your work ...

    • Service Layer Agreement (SLA)

      Understanding Our SLA: Prioritizing Client Support Tickets In our commitment to providing top-tier support to our clients, we have established a Service Level Agreement (SLA) that categorizes and prioritizes tickets based on urgency and impact. This ...

    • How to create a new Outlook Profile

      Exit Outlook. In Control Panel, click or double-click Mail. Where is Mail in Control Panel? Mail appears in different Control Panel locations depending on the version of the Microsoft Windows operating system, Control Panel view selected, and whether ...