What to do in the event of Microsoft 365 account compromise

Once you have changed your password, check the currently active sessions on all devices to determine where the account has been signed in from. Remember to sign out of all sessions to activate your new password and ensure that your old password can no longer be used.

Select “My profile” under your name and then select “Sign out everywhere”.

If the compromised account has a Microsoft 365 admin role, remove it without delay. However, make sure that you have at least one admin account so that you can continue to manage roles and rights. 

The attacker may have set up rules to forward all of your messages to their email address or to move certain messages to specific folders.

Check your logs to determine whether the attacker managed to sign in to your Microsoft 365 account. The logs will show you the IP address and location that the account was signed in from and which applications the attacker attempted to use.

The audit log can show you which documents the attacker opened, edited or copied and what services they used, for example.

An M365 admin can search the audit log based on user or time, for example. 

If the compromised account was a Microsoft 365 admin account or the attacker managed to grant admin-level rights to the account, check whether any new accounts were created in the domain or whether any new applications were installed.

If the compromised account was an admin account, the incident must be taken very seriously, as the account has access to everything under the organisation’s Microsoft 365 subscription.

You can check the Online Exchange service to see whether the attacker sent out any malicious email messages. The report can be downloaded in Excel format, for example, allowing you to easily search for email addresses.

If the compromised account was used to send out malicious email messages, it is important to inform the recipients about this as soon as possible. An example of a warning message that you can use to inform recipients is provided below.

Warning message example

Hi!

According to our records, you recently received a message from _____ with the subject line _____.

The message in question is a phishing message sent from a compromised email account.

If you clicked the link included in the message and entered your username and password on the website that it opened, please contact your company’s IT department and tell them what happened. If your company does not have an IT department, follow these instructions:

1. Change your password immediately. After changing your password, you should sign out of all current sessions on all devices, as the criminal may have already used your account to sign in to other services. Instructions on how to do this on Microsoft 365 are provided here (External link). Forcing all sessions to sign in using the new password prevents the criminal from signing in to any services using your account.
2. Check whether the criminal has set up any email forwarding or other rules on your email account.   (External link) 
3. Determine the scope of the attack in terms of personal data.
   Determine the amount and quality of personal data leaked.
4. Warn any organisations and persons who were sent phishing messages from your account. (External link)
5. Submit a report of a data breach to the
   NCSC-FI
   Police
   Office of the Data Protection Ombudsman 

Best regards,

• NCSC-FI
  Submit a report of the incident to the NCSC-FI as soon as possible so that we can help prevent further damage. You can submit a report even if you do not have all the relevant information. Please attach the phishing message that you received to the report. The NCSC-FI will investigate the link included in the message and submit a request to have the website taken down in order to reduce the number of future victims.
• Police (External link)
• Office of the Data Protection Ombudsman (page in Finnish) (External link)