Recommended steps to take if an account is compromised

Recommended steps to take if an account is compromised

Recommended steps to take if an account is compromised:
  1. Reset the user's password immediately. Do not communicate the new password through email to the end user.
    Enable Multi-Factor Authentication (MFA) to prevent compromised accounts, especially for accounts with administrative privileges. For more information, see Set up multi-factor authentication.
  2. Remove any suspicious forwarding addresses set at the mailbox level.
    Quick detection via powershell:
    Get-Mailbox -Identity test@itpartner365.com | FT UserPrincipalName,ForwardingSmtpAddress,DeliverToMailboxAndForward
  3. Remove any suspicious inbox rules set within the mailbox.
    Quick detection via powershell:
    Get-InboxRule -mailbox test@itpartner365.com | Where-object {$_.forwardto -or $_.forwardasattachmentto} | fl mailboxownerid,name,description
  4. Go to the Microsoft Defender portal at https://security.microsoft.com > Email & Collaboration > Review > Restricted users, or directly at https://security.microsoft.com/restrictedusers. If the user is on the list, select the user and then select Unblock. Follow the steps in the flyout pane, and then select Yes to confirm. The account should be able to send messages again, usually within an hour.
  5. Optional: Block the user account from signing-in
  6. Optional: Remove the suspected compromised account from all administrative role groups
  7. Optional: Additional precautionary steps:
    1. Verify the contents of the Sent items folder of the account in Outlook or Outlook on the web.
    2. You might need to inform people in your contacts list that your account was compromised. For example, the attacker might have sent messages asking your contacts for money, or the attacker might have sent a virus to hijack their computers.
    3. The accounts for any other services that use this account as an alternative email account might have also been compromised. After you do the steps in this article for the account in this Microsoft 365 organization, do these steps for your other accounts.
    4. Verify the contact information (for example, telephone numbers and addresses) of the account.

    • Related Articles

    • How to Record Steps to Reproduce a Problem on Windows

      If you encounter an issue on your Windows computer, you can use the Steps Recorder tool to document and share the problem with support teams. Here’s a simple guide to help you record and send the steps leading to the problem: Using Steps Recorder 1. ...

    • Adding a New Multi-Factor Authentication (MFA) Method for Microsoft 365

      Multi-Factor Authentication (MFA) is a crucial security feature that adds an extra layer of protection to your Microsoft 365 account. By requiring more than one method of authentication, MFA helps to ensure that your data and account are secure even ...

    • How to enroll iOS device to Intune

      Initiate enrollment in the Intune Company Portal app. The Company Portal app is used to enroll and manage your device, install work apps, and get IT support. The app supports devices running iOS 14.0 and later. Maintain a Wi-Fi connection until all ...

    • Open and use a shared mailbox in Outlook

      A shared mailbox makes it easy for a group of people to monitor and send email from a public email alias like info@contoso.com. When a person in the group replies to a message sent to the shared mailbox, the email appears to be from the shared ...

    • How to create a new Outlook Profile

      Exit Outlook. In Control Panel, click or double-click Mail. Where is Mail in Control Panel? Mail appears in different Control Panel locations depending on the version of the Microsoft Windows operating system, Control Panel view selected, and whether ...