These instructions detail how you can regain control of your account and warn others. We also explain how to isolate your account, determine what the attacker has done and what you can do to prevent account compromise.

The measures listed in this section are intended for all users. Be sure to also report the incident to your organisation’s IT department so that they can continue investigating the matter according to instructions.

Isolating your account

2

Check active sessions

Once you have changed your password, check the currently active sessions on all devices to determine where the account has been signed in from. Remember to sign out of all sessions to activate your new password and ensure that your old password can no longer be used.

Select “My profile” under your name and then select “Sign out everywhere”.

Mapping the attacker’s actions

1

Check whether the attacker has set up any email processing or forwarding rules.

The attacker may have set up rules to forward all of your messages to their email address or to move certain messages to specific folders.

2

Check the logs to see what the attacker has done

Check your logs to determine whether the attacker managed to sign in to your Microsoft 365 account. The logs will show you the IP address and location that the account was signed in from and which applications the attacker attempted to use.

3

Check the audit log to see what documents and applications the attacker accessed

The audit log can show you which documents the attacker opened, edited or copied and what services they used, for example.

An M365 admin can search the audit log based on user or time, for example. 

4

Check other accounts in the domain

If the compromised account was a Microsoft 365 admin account or the attacker managed to grant admin-level rights to the account, check whether any new accounts were created in the domain or whether any new applications were installed.

If the compromised account was an admin account, the incident must be taken very seriously, as the account has access to everything under the organisation’s Microsoft 365 subscription.

5

Check whether the account was used to send out any malicious email messages

You can check the Online Exchange service to see whether the attacker sent out any malicious email messages. The report can be downloaded in Excel format, for example, allowing you to easily search for email addresses.

If the compromised account was used to send out malicious email messages, it is important to inform the recipients about this as soon as possible. An example of a warning message that you can use to inform recipients is provided below.

Warning message example

Hi!

According to our records, you recently received a message from _____ with the subject line _____.

The message in question is a phishing message sent from a compromised email account.

If you clicked the link included in the message and entered your username and password on the website that it opened, please contact your company’s IT department and tell them what happened. If your company does not have an IT department, follow these instructions:

  1. Change your password immediately. After changing your password, you should sign out of all current sessions on all devices, as the criminal may have already used your account to sign in to other services. Instructions on how to do this on Microsoft 365 are provided here (External link). Forcing all sessions to sign in using the new password prevents the criminal from signing in to any services using your account.
  2. Check whether the criminal has set up any email forwarding or other rules on your email account.   (External link) 
  3. Determine the scope of the attack in terms of personal data.
    Determine the amount and quality of personal data leaked.
  4. Warn any organisations and persons who were sent phishing messages from your account. (External link)
  5. Submit a report of a data breach to the
    NCSC-FI
    Police
    Office of the Data Protection Ombudsman 

Best regards,

6

Submit a report of a data breach to the

  • NCSC-FI
    Submit a report of the incident to the NCSC-FI as soon as possible so that we can help prevent further damage. You can submit a report even if you do not have all the relevant information. Please attach the phishing message that you received to the report. The NCSC-FI will investigate the link included in the message and submit a request to have the website taken down in order to reduce the number of future victims.
  • Police (External link)
  • Office of the Data Protection Ombudsman (page in Finnish) (External link)

Preventive measures

If the following functionalities are active, you can enable them by following the instructions provided below.

Updated