All access within Office 365, regardless of whether it is your mailbox, OneDrive, SharePoint or Teams is controlled via the users UPN or User Principle Name and their password. The password can be set at the cloud level using Azure Active Directory, or if the tenant is in a hybrid scenario, it may come from an internal Active Directory Domain Controller. If those two pieces of information are compromised, an attacker can do irreparable harm, not only to the users account, but based on their permissions, to the organization as well.

, What to Do When an Office 365 Account is Compromised

A common attack we have seen are bulk emails both to internal and external users, using the compromised account. This is known as data exfiltration. Another may be to set a store and forward policy on the compromised mailbox to send all emails to an outside party.

So how can you tell if an Office 365 account has been compromised?

Microsoft has listed the following symptoms that are signs of compromised behavior:

  • Suspicious activity, such as missing or deleted emails.
  • Other users might receive emails from the compromised account without the corresponding email existing in the Sent Items folder of the sender.
  • The presence of inbox rules that weren’t created by the intended user or the administrator. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscriptions folders.
  • The user’s display name might be changed in the Global Address List.
  • The user’s mailbox is blocked from sending email.
  • The Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web (formerly known as Outlook Web App) contain common hacked-account messages, such as “I’m stuck in London, send money.”
  • Unusual profile changes, such as the name, the telephone number, or the postal code were updated.
  • Unusual credential changes, such as multiple password changes are required.
  • Mail forwarding was recently added.
  • An unusual signature was recently added, such as a fake banking signature or a prescription drug signature.

If any of these symptoms are found, you should perform the following actions

Reset the User’s Password

  • Have a Global Administrator log into the Microsoft 365 Admin Center and reset the user’s password.
  • Confirm that Strong Passwords are required on the user account.
  • Have the user create a new and unique password not used before.

Remove Email Forwards

  • Have a Global Administrator log into the Exchange Online Admin Center.
  • Go to Recipients > Mailboxes.
  • Locate the user in question and double-click their account.
  • Click Mailbox Features.
  • Scroll down to Mail Flow and click View Details under Delivery Options.
  • Remove the forward and click OK.

If you would like to remove the forward via PowerShell, it can be done using the following command:

  • Set-Mailbox -Identity “” -ForwardingSMTPAddress $null

Remove Suspicious Inbox Rules

  • Have the user or a global administrator with full permissions to the mailbox log into Outlook Web Mail.
  • Click the gear icon on the top right and click View All Outlook Settings.
  • Click Mail on the left-hand pane.
  • Click Rules and review the rules that are currently set.
  • If any rules appear suspicious, click the trashcan button to delete.

If you would like to remove all inbox rules on a user account via PowerShell, it can be done using the following commands:

 Discover Inbox Rules:

Remove All Inbox Rules:

  • Get-InboxRule -Mailbox | Remove-InboxRule

Unblock User Account

If the compromised account was used to send bulk mail to either internal or external recipients, it is very likely that Microsoft recognized this behavior and blocked the account from being able to send outbound mail. After following the steps we highlighted above, please perform the following:

  • Have a Global Administrator log into the Exchange Online Admin Center.
  • Click Protection on the left-hand pane.
  • Click Action Center.
  • If the users account was blocked, it will be listed on this page. Click the users account.
  • Click the Unblock button.

This could take a at least an hour to replicate this change. If the user is unable to send email immediately, this is normal behavior. Microsoft is also moving this to the Security & Compliance Center under the Restricted Users page. So, this action can be performed there as well.

Enable Multi-Factor Authentication

Multi-factor Authentication allows for additional security to log into an Office 365 account. A second layer of authentication would be required of the user to sign into any of the Office 365 services available to them. This can be done via an authentication app on their mobile device, text messaging, phone call or an email to a personal account. Here is a Microsoft article that goes into this in detail:

Set up multi-factor authentication

Enable Mailbox Auditing

On January 2019, Microsoft announced that all mailboxes within their Office 365 service would have mailbox auditing turned on by default, as up until that time it was a disabled option upon mailbox creation. As of publishing this article, Microsoft has not confirmed that this has been rolled out to all Office 365 tenants and mailboxes. To enable mailbox auditing, this must be done using the following PowerShell commands:

To Enable for All Users

  • Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq “UserMailbox”} | Set-Mailbox -AuditEnabled $true

To Enable for a Single User

Office 365 Advanced Threat Protection

One of the most common ways an account becomes compromised is through malicious emails. Microsoft offers a service called Advanced Threat Protection which helps protect against such attacks by scanning all attachments and URL links embedded in the email. Here is a Microsoft article discussing this service in more detail:

Office 365 Advanced Threat Protection

For more information:

Contact MessageOps today to learn more about Office 365 security for your business at 877-788-1617 or email