Few steps to secure and restore a compromised Office 365 account

Your users might report unusual or suspicious activity in their Office 365 accounts / mailboxes. Once an account is compromised, following steps should be performed swiftly in order to protect accounts of your and sensitive data of your organization.

Reset the password: First and foremost, immediately reset the password as it will instantly regain the control of the account from hacker/attacker.

Turn on Multi Factor Authentication (MFA): Once password is changed, the account is somewhat safe however, it is not a guarantee that the account is totally secured. By enabling multi factor authentication, users are allowed login by validating two factors.

When a hacker or an attacker attempts to login to an account with multifactor authentication enabled, the targeted user receives a text or a phone call (second authentication factor). The targeted employee then becomes aware of the fact that their password has been compromised and needs to be changed.

“Employees should be trained to report the incident to the Office 365 Administrator ASAP. You can find important information on how to train your employees by login in to admin.microsoft.com and clicking on to train your people link.”

Check any mail flow rules / forwarding applied to the compromised account: Targeted user should log in to his / her compromised account and check if there are any unrecognized / suspicious mail flow rules in place.

Often hackers create mail flow rules or apply email forwarding in order to get hold of important emails and sensitive data coming in through emails.

Run Message Trace from Exchange Admin Center (EAC):

Office 365 administrators should log on to protection.office.com and run a message trace. Message trace is an important tool as it is used to track and monitor the email flow.

All the emails coming in and going out of the office 365 tenant travel through Office 365 server.  The information is stored in logs which helps administrators to view basic information about sent and received emails (no matter if anyone deletes or purge emails or not).

Check Audit Logs: Once turned on, Audit Logs captures activities in your entire office 365 tenant. It keeps track of every major action performed including but not limiting to office 365 logins, resetting passwords and “Failed Login Attempts”. 

In case an account is compromised, audit logs also record the IP address that was used by the hacker and hence prove out to be one of the most beneficial features of Microsoft Office 365.