Do you need help & advice with Cybersecurity or Microsoft 365?
It seems like every week, I hear about another business dealing with a hacked Microsoft 365 account. A lot of people think that because they use Microsoft, their cyber security is all sorted. That’s just not the case, unfortunately.
If you’re not working with an IT company that’s actively managing this for you, there’s a quick way to check your setup. Head over to securemyemails.com. It gives you a score out of 100. If your score is below 70, your email configuration definitely needs some attention. If you’re reading this because you’ve already been hacked, don’t panic. Here’s what you need to do right away.
Key Takeaways
- Sign the user out of all active sessions.
- Reset the user’s password immediately.
- Check for any new email forwarding rules.
- Review authorised applications (OAuth).
- Examine activity logs for OneDrive and SharePoint.
- Notify recipients not to click on suspicious emails.
Immediate Steps When An Account Is Compromised
First things first, you’ll need to log into the admin console. Make sure you’re using a separate admin account, not the one that’s been compromised (unless your setup is really not ideal).
Once you’re in, the very first action is to sign the user out of all their active sessions. This stops them from being able to do anything further from any device they might be logged into.
Next, reset the user’s password. Make it a strong, unique password. This is a basic but vital step.
Checking For Malicious Activity
After securing the account, you need to look for any signs of tampering. Open up Outlook and check for any new forwarding rules. Hackers often set these up to redirect emails to themselves, so they can keep an eye on things or send out more malicious messages.
If you have access to the compromised device, it’s a good idea to take screenshots of anything unusual you see. Then, run a scan with a tool like Malwarebytes to check for any suspicious software that might have been installed.
Reviewing App Permissions And Logs
It’s also important to check the OAuth apps connected to Microsoft 365. Hackers sometimes add malicious apps to gain persistent access. Go through the list and remove anything that looks suspicious or isn’t recognised.
Don’t forget to review the activity logs for OneDrive and SharePoint. See if there’s any unusual document access or sharing activity. This can give you clues about what the hacker was after.
Informing Others
Finally, and this is really important, you need to tell people who might have received dodgy emails from the compromised account not to click on any links or open any attachments. This needs to be done as soon as possible to prevent further infections.
Getting Help And Preventing Future Attacks
Dealing with a hacked account can be pretty technical. If you’re not comfortable doing this yourself, or if you want to make sure it’s done correctly, it’s best to reach out for help. There are services that can help fix the immediate issue and also put measures in place to stop it from happening again.
Some IT providers offer tools that can monitor your systems 24/7. If an account gets compromised, these systems can often detect it and immediately disable the user’s access, minimising the damage. It’s really worth looking into this, as having the same account hacked repeatedly puts your whole business at risk.
If you need assistance or want to secure your systems better, don’t hesitate to get in touch.
