Nowadays, one of the most common security support requests from our customers (and increasing) is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.
If your Office 365 subscription has been compromised, your accounts may be blocked to defend you and your contacts. Take into account that sometimes, hackers may have added back-door entries to your account which empowers attacker to regain control of your account even after you have recovered it. In order to protect the account, you must complete the following instructions.
These steps allow you to get rid of any back-door entries added to your account:
First of all, Block user sign-in
- Go to Office365 Admin Center – https://admin.microsoft.com/
- Expand “Users” and press “Active users”
- Select user that you need and block sing-in
- Confirm blocking
- Press “Save Changes”
Check O365 environment
- Check user sign-in log. Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
- Press on the user name and select “Sign-ins”
- You can find here the last login information, with IP addresses and locations.
EXO Message Flow
- Check the message flow to identify suspicious emails that might have been sent on behalf of the user. Go to Exchange Online Admin Panel – https://outlook.office365.com/ecp
- Click “Message flow”, then select “Message Trace” tab.
- Select user by pressing “add sender” and press “search”
- Сheck all outgoing messages for suspicious emails.
- Also check tabs “rules” and “connectors” for any strange data
Check Physical Devices
- Check all user’s workstations, laptops and mobile devices.
- Install AV software, for example https://malwarebytes.com/ or any other
- Run full scan and check results.
- Install all Windows updates.
Determine the source
- Ask the user about any recently lost devices.
- Ask the user about any suspicious situations and actions, like download and open strange attachments, software installation, visited web-sites and others
- Ask the user about any public Wi-Fi networks he used.
Eliminate the source of infection, if found
Reset user password and unlock account
- Press a key picture and reset user password, then unlock the user account.
- We also strongly recommend to set MFA authentification fol all users, you can use Microsoft instruction https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
I know that probably you have pass over this situation, but maybe for other people will help to take immediate actions to recover from an Office 365 compromise.