Do you need help & advice with Cybersecurity?
It seems like every week, I’m hearing about another Microsoft 365 account getting compromised. A lot of business leaders think Microsoft handles all the cybersecurity for them, but that’s just not the case. If you’re not actively managing it, you’re leaving yourself wide open.
If you suspect your Office 365 account has been hacked and is sending out dodgy emails, don’t panic. There are immediate steps you need to take to get things under control. A quick way to check your domain’s security score is by visiting securemyemails.com. If your score is below 70, it’s a clear sign your email configuration needs some serious attention. If you’ve already been hit, here’s what you need to do.
Immediate Steps When An Account Is Compromised
First off, you’ll need to log into the admin console. Make sure you’re using a separate admin account, not the one that’s potentially compromised. The very first action is to sign the user out of all active sessions. This cuts off any immediate access the hacker might have.
Next, reset the user’s password. Make sure it’s a strong, unique password that hasn’t been used anywhere else. After that, it’s time to dig into the settings.
Key Takeaways
- Sign the user out of all sessions.
- Reset the user’s password.
- Check for new forwarding rules in Outlook.
- Review OAuth app access.
- Examine OneDrive and SharePoint activity logs.
- Warn recipients not to click on suspicious emails.
Checking For Malicious Settings
Open up Outlook and check for any new forwarding rules that might have been set up. Hackers often use these to redirect emails to themselves. While you’re on the compromised device, it’s a good idea to take screenshots of anything that looks odd. This can be helpful for later investigation.
I also strongly recommend running a malware scan using a tool like Malwarebytes. This helps check if any suspicious software has been installed. If your antivirus or EDR solution isn’t up to scratch, this step is even more important.
Reviewing App Permissions And Activity Logs
Next, head over to the list of Microsoft apps that use OAuth. Check if any unfamiliar apps have been added. These could be granting the hacker access to your data. It’s vital to review these permissions carefully.
After that, look at the logs for SharePoint and OneDrive. See if there’s any unusual document access or activity. This can give you clues about what the hacker was after.
Informing Others And Getting Help
Finally, and this is really important, you need to tell people who might have received suspicious emails not to click on any links or open any attachments. This needs to happen as soon as possible.
Dealing with a hacked account can be pretty technical. If you’re not comfortable doing this yourself, it’s best to get professional help. There are tools that can help fix these issues, and services that can harden your systems to prevent this from happening again. Some systems can even monitor your users 24/7 and automatically kick out anyone showing suspicious activity. It’s worth getting sorted to avoid repeated incidents that put your business at risk.
