My O365 account has been compromised. Now what?

Posted by

Nowadays, one of the most common security support requests from our customers (and increasing) is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.

If your Office 365 subscription has been compromised, your accounts may be blocked to defend you and your contacts. Take into account that sometimes, hackers may have added back-door entries to your account which empowers attacker to regain control of your account even after you have recovered it. In order to protect the account, you must complete the following instructions.

These steps allow you to get rid of any back-door entries added to your account:

First of all, Block user sign-in

    • Go to Office365 Admin Center – https://admin.microsoft.com/
    • Expand “Users” and press “Active users”
    • Select user that you need and block sing-in
    • Confirm blocking
    • Press “Save Changes”

Check O365 environment

EXO Message Flow

      • Check the message flow to identify suspicious emails that might have been sent on behalf of the user. Go to Exchange Online Admin Panel – https://outlook.office365.com/ecp
      • Click “Message flow”, then select “Message Trace” tab.
      • Select user by pressing “add sender” and press “search”
      • Сheck all outgoing messages for suspicious emails.
      • Also check tabs “rules” and “connectors” for any strange data

Check Physical Devices

  • Check all user’s workstations, laptops and mobile devices.
    • Install AV software, for example https://malwarebytes.com/ or any other
    • Run full scan and check results.
    • Install all Windows updates.

Determine the source

    • Ask the user about any recently lost devices.
    • Ask the user about any suspicious situations and actions, like download and open strange attachments, software installation, visited web-sites and others
    • Ask the user about any public Wi-Fi networks he used.

Eliminate the source of infection, if found

Reset user password and unlock account

I know that probably you have pass over this situation, but maybe for other people will help to take immediate actions to recover from an Office 365 compromise.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s