Microsoft 365 Account Compromised? What to Do Immediately
[!CAUTION] Active Security Incident? If you believe your organization is undergoing an active email compromise, ransomware threat, or data exfiltration event, do not delay. Contact the THOR 24/7 Incident Response Hotline immediately at 312.529.0672 for urgent containment assistance.
A business email compromise (BEC) involving a Microsoft 365 (formerly Office 365) account is one of the most common and damaging cyber incidents a business can face. Threat actors do not just read your emails—they actively use your identity to execute fraudulent wire transfers, distribute phishing emails to your customers, hijack ongoing billing conversations, and steal proprietary data.
If you suspect or have confirmed that an employee mailbox is compromised, you must act quickly. This guide provides a step-by-step M365 incident response checklist to contain the threat and secure your system.
Here is exactly what to do when your Microsoft 365 account compromised what to do.
1. Force Log Out of All Active Sessions
Changing a password is not enough. If the attacker has an active session token (cookie), they will remain logged in even after a password reset. You must terminate their session immediately.
- For Admins: Log into the Microsoft Entra admin center (formerly Azure AD), locate the compromised user, navigate to the Overview page, and click Revoke sessions.
- For Users: Log into myaccount.microsoft.com, select Security info, and choose Sign out everywhere.
2. Reset the Account Credentials
Once active sessions are terminated, change the account password to lock the attacker out of future sessions.
- Force a password change to a strong, unique, randomly generated passphrase of at least 16 characters.
- Do not reuse passwords across multiple services.
3. Verify MFA Enrollment (Look for Backdoors)
Attackers who gain temporary access to a mailbox often register their own Multi-Factor Authentication (MFA) devices (such as an authenticator app or security key) as a backup method. If you do not audit this, they can simply use their backup MFA device to log back in after your password reset.
- Go to Security Info in the user’s Microsoft 365 account settings.
- Review all registered MFA devices, phone numbers, and alternative email addresses.
- Delete any unrecognized authentication methods immediately.
4. Check for Malicious Inbox Rules
This is the most common post-compromise tactic. Attackers almost always configure suspicious inbox rules Microsoft 365 to hide their activity from the victim. They often create rules that automatically:
- Move emails containing keywords like invoice, wire, payment, audit, bank, password, hacked to the “Archive”, “Deleted Items”, or a hidden folder.
- Mark these emails as “Read” immediately so the user never receives a notification.
- Forward all inbound traffic to a disposable external mailbox.
How to audit inbox rules:
- Log into Outlook Web App (OWA).
- Click the gear icon (Settings) in the top right, navigate to Mail, and select Rules.
- Review every rule. Look for rules with actions like “Move to Deleted Items” or “Forward to…” that target external domains.
- Check Rules and Alerts inside the desktop Outlook client as well.
5. Review External Mail Forwarding Settings
In addition to inbox rules, threat actors can set up global mailbox forwarding to copy every incoming email to an external account.
- In OWA, go to Settings > Mail > Forwarding.
- Verify that forwarding is disabled, or that the listed destination address is valid and authorized.
6. Audit OAuth App Consents (API Backdoors)
Modern threat actors increasingly use malicious OAuth applications rather than passwords. By tricking a user into clicking a link that grants “permissions” to a third-party app, the attacker obtains an API token that allows them to read emails, files, and directories without needing the user’s password or MFA.
- Navigate to the Microsoft Entra admin center > Enterprise applications.
- Filter by user consent and audit any recently installed or unrecognized applications.
- Revoke permissions for any application that appears suspicious or unauthorized.
The Microsoft 365 Incident Response Checklist
| Action Item | Responsible Party | Why it Matters |
|---|---|---|
| Revoke Active Sessions | Admin / User | Kicks the attacker out of their active browser sessions immediately. |
| Password Reset | Admin | Prevents the attacker from starting new sessions with the old password. |
| MFA Audit | Admin / User | Removes rogue authenticator apps registered by the attacker. |
| Inbox Rules Audit | User / Security Lead | Disables rules designed to hide invoice fraud or forward mail externally. |
| OAuth Consent Audit | Admin | Removes API-based backdoors that bypass password resets. |
| Log Review & Forensics | Forensic Specialist | Traces what data was read, which emails were sent, and handles compliance. |
When to Bring in Professional Incident Response
Executing containment steps is only the first phase of an Office 365 account compromise response. Once the account is locked down, you must determine the full scope of the breach:
- Data Exfiltration: Did the attacker download attachments, export mailbox archives (PST files), or read sensitive customer PII/PHI?
- Legal Obligations: If sensitive customer data or health records were exposed, you may have legal breach notification deadlines.
- Regulatory Compliance: Does your industry (e.g., healthcare under HIPAA, financial under FTC Safeguards) mandate forensic investigation?
- Insurance Coordination: If you plan to file a cyber insurance claim, carriers require an independent forensic audit report before approving payouts.
Attempting to review complex unified audit logs (UAL) internally can overwrite valuable forensic evidence. A professional incident response partner preserves the chain of custody and traces the attacker’s exact movements.
Secure Your Tenant with THOR
If your organization has suffered an email compromise, the THOR Incident Response team can assist you with immediate containment, log forensic analysis, data exposure reviews, and Microsoft 365 tenant hardening.
Need immediate assistance responding to a compromised account? Call THOR Incident Response now to secure your environment and investigate the breach.