Do you need help & advice with Cybersecurity or Microsoft 365?
It seems like every week, I hear about another business dealing with a hacked Microsoft 365 account. A lot of people think Microsoft takes care of all the cybersecurity for them, but that’s just not the case. If your business relies on Office 365 and you don’t have an IT company keeping an eye on things, you might want to check your security setup. A quick way to get a score out of 100 for your domain is by visiting securemyemails.com. If your score is below 70, it’s a good sign that your email configuration needs some attention, otherwise, these hacks could keep happening.
But what if the worst has already happened and your account is compromised? Don’t panic. Here are the immediate steps you should take.
Key Takeaways
- Sign the user out of all active sessions.
- Reset the user’s password immediately.
- Check for any new email forwarding rules.
- Review connected OAuth applications.
- Examine activity logs for OneDrive and SharePoint.
- Notify recipients about the suspicious emails.
Taking Action When An Account Is Compromised
First things first, you’ll need to access the admin console. It’s best to use a separate admin account for this, not the one that’s usually logged into, unless your setup is already a bit risky. Once you’re in, the very first thing you should do is sign the affected user out of every single session they have open. This stops any ongoing malicious activity.
Next, you absolutely must reset the user’s password. Make sure it’s a strong, unique password that hasn’t been used anywhere else. After that, dive into Outlook settings. Look carefully for any new forwarding rules that might have been added. Sometimes hackers set these up to send copies of emails elsewhere or to redirect messages.
It’s also a good idea to take screenshots of anything unusual you see on the device that was compromised. If you have antivirus or endpoint detection and response (EDR) software, run a scan. Malwarebytes, for example, can help find suspicious software that might have been installed.
Checking App Permissions And Activity Logs
Microsoft 365 uses something called OAuth apps, which allow third-party applications to access your data. Hackers sometimes add malicious apps to gain persistent access. Go through the list of Microsoft apps and check if any unfamiliar or suspicious ones have been added. Revoke access for anything you don’t recognise or trust.
Beyond the inbox itself, you should also look at the activity logs for services like SharePoint and OneDrive. See if there’s any unusual document access or file activity that doesn’t make sense for the user. This can give you clues about what the hacker was after.
Informing Others And Preventing Future Incidents
Finally, and this is really important, you need to let people know that they might receive dodgy emails from the compromised account. Warn recipients not to click on any links or open any attachments in those messages. This step is so critical, it probably should have been mentioned right at the start.
If all of this sounds a bit too technical or you’re worried about getting it wrong, don’t hesitate to reach out for help. There are tools that can help fix these issues, and services that can harden your setup to prevent this from happening again. Some businesses experience these hacks repeatedly, putting their entire operation at risk. Having a system that monitors your users 24/7 and can immediately disable an account if it’s compromised can make a huge difference. Getting this sorted is key to keeping your business safe.
