What to Do If Your Office 365 Account is Hacked
Breaches can come in many different forms and hackers want to try to go as long as possible without the user realizing their account has been stolen from them. This is why it's crucial to know what to look out for so they can stop it before it goes too far. Here are a few signs that you may need to take action for a breach:
- Unusual Mail Routing - If all inbound mail is going into certain folders that are atypical for a user's mail flow, that could be a sign of a breach. For example, if a user starts to see all mail going into the Junk folder, it may be time to take action.
- Emails Sending From Account - A lot of times, hackers will gain access and start sending emails from that user's account to all of the contacts. This is an attempt to make an email look legit and gain credentials from your contacts. If you start to see multiple emails being sent from your mailbox that you are not sending, ALERT!
- Inability to Send Outbound Mail/Non-deliverables - When Microsoft sees multiple suspicious emails coming out of a mailbox in a very short period of time, they will flag the account and that user will not be able to send at all. This goes in conjunction with item #2 above, and the flag needs to be removed before sending mail again.
- Foreign or Unusual Sign-in Activity - There are tools that can be used to monitor sign-in activity and they are perfect for detecting breaches. A lot of times, there will be international sign-in attempts on an account and this could be a big sign of a breach. Typically, we can trace this back to a general region or VPN provider, but if we see this, we will take action right away.
- Reset Account Password - This is a big one. Resetting the password is the absolute first thing that should be done. The reason the hacker has access in the first place is because he gained access to the password, so resetting it will ensure that he does not have access anymore. It's important to note that in the event of a breach the new password should be vastly different than the old one.
- Sign Out of All Sessions - This is something that is overlooked, but to completely ensure that the hacker does not have access to anything, all sessions need to be ended.
- Check Mailbox Rules - Most of the time, hackers will apply specific rules on the account to break the mail flow. We see this VERY often and it always needs to be looked at when fixing a breached account
- Check Mail Forwarding - By default, Microsoft has Mail Forwarding turned off, but it is very important to check this with a breached account. A lot of times, hackers will enable this feature on the account to send all mail straight to their account while the user has no idea.
- Enable Multi-Factor Authentication (MFA) - MFA is becoming the norm when it comes to email security and should be adopted everywhere. This would stop most hackers in their tracks and ensures that identity is verified upon each sign-in attempt by send a secure code to the actual account owner.