Important: This documentation is provided for information purposes only. Please contact the dedicated Microsoft support if you are having trouble during the process.
Common symptoms of a compromised account:
- Suspicious activity, such as missing or deleted emails.
- The presence of Inbox rules that the intended user or admin didn't create.
- The user's display name might be changed in the Global Address List.
- The user's mailbox is blocked from sending emails.
- Mail forwarding was recently added.
In the event of a compromised account, please check the following:
-
Reset the user password
- In the Admin Center, go to Users > Active Users page.
- On the Active Users page, select the user and then select Reset Password.
- Follow the instructions on the Reset Password page to auto-generate a new password for the user or create one for them, then select Reset.
- Enter the email address the user can get to so they can receive the new password with them to make sure they got it.
-
Enable MFA
- In the Admin Center, go to Azure Active Directory.
- On the next page, click on Azure Active Directory > Overview > Properties
- At the bottom of the page, click on Manage security defaults.
- Enable Security Defaults
-
Set up Multi Factor Authentication
-
Remove suspicious email forwarding
- In the Microsoft 365 Admin Center at https://admin.microsoft.com, go to Users > Active Users.
- On the Active Users page, find the user account in question, and select the user (row) without selecting the checkbox.
- In the details flyout that appears, select the Mail tab.
- If the value in the Email forwading section is Applied, click Manage emaiol forwarding. In hte Manage email forwarding flyout that appears, clear the Forward all emails sent to this mailbox, and then click Save changes.
-
Remove suspicious Inbox Rules
- Sign in to the user's mailbox using Outlook on the web.
- Click on the gear icon and click Mail.
- Click Inbox and sweep rules and review the rules.
- Disable or delete suspicious rules.
-
Azure AD Application and Sign-in Activity
- Navigate to the Azure portal using one of the required roles.
- Go to Azure AD and select Audit logs, Sign-in logs, or provisioning logs.
- Examine the values in the following columns:
- Review IP addresses
- Sign-in locations
- Sign-in times
- Sign-in success or failure
-
Follow the EOP Best Practices Configuration