How To Fix A Compromised (Hacked) Microsoft 365 Account
In the world today, it will always be best to try to keep the tenant and users as secure as possible, especially with the new ways that hackers have to obtain account credentials. There are many things that can be done in the instance of a compromised account, as well as things that can be applied to help prevent this from happening again. Here are the steps to take upon realization of a compromised account:
- Reset Account Password - This is a big one. Resetting the password is the absolute first thing that should be done. The reason the hacker has access in the first place is because he gained access to the password, so resetting it will ensure that he does not have access anymore. It's important to note that in the event of a breach the new password should be vastly different than the old one.
- Remove Account From All Administrator Roles - If the account is an admin or in any admin role groups, it can be removed until it is ensured that the account is not compromised any longer. If the attacker gains admin access, there are many other things that they can do within the entire Microsoft 365 tenant, and that could be very bad news.
- Sign Out of All Sessions - This is something that is overlooked, but to completely ensure that the hacker does not have access to anything, all sessions need to be ended.
- Check/Disable Mailbox Rules - Most of the time, hackers will apply specific rules on the account to break the mail flow. We see this VERY often and it always needs to be looked at when fixing a breached account
- Check/Disable Mail Forwarding - By default, Microsoft has Mail Forwarding turned off, but it is very important to check this with a breached account. A lot of times, hackers will enable this feature on the account to send all mail straight to their account while the user has no idea. This can be disabled and the forwarding addresses can be removed.
- Enable Multi-Factor Authentication (MFA) - MFA is becoming the norm when it comes to email security and should be adopted everywhere. This would stop most hackers in their tracks and ensures that identity is verified upon each sign-in attempt by send a secure code to the actual account owner.