What to do in the event of Microsoft 365 account compromise | Traficom
Skip to main content
National Cyber Security Center
Report incidents
Report incidents
Report incidents

What to do in the event of Microsoft 365 account compromise

These instructions detail how you can regain control of your account and warn others. We also explain how to isolate your account, determine what the attacker has done and what you can do to prevent account compromise.

The measures listed in this section are intended for all users. Be sure to also report the incident to your organisation’s IT department so that they can continue investigating the matter according to instructions.

Isolating your account

Mapping the attacker’s actions

  • Step 1

    Check whether the attacker has set up any email processing or forwarding rules.

    Instructions for checking inbox rules

    The attacker may have set up rules to forward all of your messages to their email address or to move certain messages to specific folders.

  • Step 2

    Check the logs to see what the attacker has done

    Check your logs to determine whether the attacker managed to sign in to your Microsoft 365 account. The logs will show you the IP address and location that the account was signed in from and which applications the attacker attempted to use.

    Instructions for checking logs
  • Step 3

    Check the audit log to see what documents and applications the attacker accessed

    The audit log can show you which documents the attacker opened, edited or copied and what services they used, for example.

    An M365 admin can search the audit log based on user or time, for example. 

    Instructions for searching the audit log
  • Step 4

    Check other accounts in the domain

    If the compromised account was a Microsoft 365 admin account or the attacker managed to grant admin-level rights to the account, check whether any new accounts were created in the domain or whether any new applications were installed.

    If the compromised account was an admin account, the incident must be taken very seriously, as the account has access to everything under the organisation’s Microsoft 365 subscription.

    Microsoft: Entra ID activity logs in Azure Monitor
  • Step 5

    Check whether the account was used to send out any malicious email messages

    You can check the Online Exchange service to see whether the attacker sent out any malicious email messages. The report can be downloaded in Excel format, for example, allowing you to easily search for email addresses.

    Online Exchange

    If the compromised account was used to send out malicious email messages, it is important to inform the recipients about this as soon as possible. An example of a warning message that you can use to inform recipients is provided below.

    Warning message example

    Hi!

    According to our records, you recently received a message from _____ with the subject line _____.

    The message in question is a phishing message sent from a compromised email account.

    If you clicked the link included in the message and entered your username and password on the website that it opened, please contact your company’s IT department and tell them what happened. If your company does not have an IT department, follow these instructions:

    1. Change your password immediately. After changing your password, you should sign out of all current sessions on all devices, as the criminal may have already used your account to sign in to other services. Instructions on how to do this on Microsoft 365 are provided here. Forcing all sessions to sign in using the new password prevents the criminal from signing in to any services using your account.
    2. Check whether the criminal has set up any email forwarding or other rules on your email account.   
    3. Determine the scope of the attack in terms of personal data.
      Determine the amount and quality of personal data leaked.
    4. Warn any organisations and persons who were sent phishing messages from your account.
    5. Submit a report of a data breach to the
      NCSC-FI
      Police
      Office of the Data Protection Ombudsman 

    Best regards,

  • Step 6

    Submit a report of a data breach to the

    • NCSC-FI
      Submit a report of the incident to the NCSC-FI as soon as possible so that we can help prevent further damage. You can submit a report even if you do not have all the relevant information. Please attach the phishing message that you received to the report. The NCSC-FI will investigate the link included in the message and submit a request to have the website taken down in order to reduce the number of future victims.
    • Police
    • Office of the Data Protection Ombudsman (page in Finnish)

Preventive measures

Multi-factor authentication means that your identity is confirmed using two or more authentication methods, or factors. Enabling multi-factor authentication can help prevent Microsoft 365 account compromise. With multi-factor authentication, even if a criminal were to get a hold of your username and password, they cannot log in to your account without the additional authentication factor. Enabling multi-factor authentication is recommended for all user accounts.

  • This account is only for emergencies. It should not be used for normal admin or work tasks.
  • The account should only be used in situations where you cannot sign in to Microsoft 365 on any other account.
  • The account should have a complex and long password and its use should be carefully monitored.
  • When the account is used to sign in to the organisation’s Microsoft 365 service, the admin is immediately notified of the sign-in.
  • Instructions for creating an emergency access admin account

The Unified Audit Log can be used to trace the time and scope of a data breach and perhaps even how it occurred. The log data can also help with other troubleshooting and problem-solving.

Check whether you have Alert Policies enabled. These policies help you to track user and admin activities and alert you in case of threats or data loss incidents.

Compromised Microsoft 365 accounts are often used to send out phishing messages using bulk email software. Because of this, you should update your Microsoft 365 subscription settings so that user accounts need to obtain consent from an M365 admin to install applications instead of being able to install applications directly. This will prevent criminals from installing bulk email software on compromised accounts.

Microsoft: User and admin consent in Microsoft Entra IDHow to block user consent to apps

If the following functionalities are active, you can enable them by following the instructions provided below.

By default, users are required to sign in every 90 days. However, you can improve security by requiring users to sign in to browser applications once a day, for example. This policy can be configured at least for the following applications: SharePoint, OneDrive for business, Exchange Online and all Microsoft cloud applications.

Microsoft’s instructions: Configure authentication session management with Conditional AccessHow to Enable Organization Customization in Office 365

When user risk is detected, administrators can employ the user risk policy conditions to have the user securely change a password by using the Microsoft Entra self-service password reset.

Microsoft: Require password changeMicrosoft: Common Conditional Access policy: User risk-based password change

Companies can use Intune/MDM or other device management solutions to restrict sign-in rights to Microsoft 365 to devices marked as compliant.

Microsoft: Require device to be marked as compliantMicrosoft: Common Conditional Access policy: Require approved client apps or app protection policy

A Token Protection Conditional Access policy can be used to ensure that a user account is only used on the device that the user originally used to sign in. Through AiTM phishing, an attacker can obtain a functional session token that they can use to replay user sign-in to Microsoft 365 services. However, a Token Protection policy prevents the attacker from signing in to Microsoft 365 services.

Token protection
Page was last updated