If you suspect that an account in your Microsoft 365 (M365) or MS Entra ID tenant has been compromised, swift and thorough action is essential to mitigate the threat and secure your environment. Here’s a step-by-step guide to handle such incidents effectively.
1. Reset the Password and Revoke Sessions and MFA
The first and most immediate action is to reset the affected user’s password. This prevents the attacker from using stolen credentials to access the account further. In conjunction, revoke all active sessions for the account via the MS Entra ID portal. This ensures that any active logins associated with the compromised credentials are terminated immediately.
2. Reset MFA
Attackers often exploit preregistered malicious MFA factors to regain access, even after a password reset. To block this pathway, reset the user’s multifactor authentication method. By doing so, you ensure that any unauthorized MFA factors are removed and the legitimate user can securely reconfigure their authentication settings.
3. Periodically Audit Inbox Rules
Hackers frequently set up malicious rules in Outlook to forward incoming emails to their own controlled email addresses. This tactic enables them to monitor communications, intercept sensitive information, or manipulate ongoing financial transactions.
To protect against this, review the user’s Outlook inbox rules for any unauthorized or suspicious rules. Look for rules that automatically forward emails, delete messages, or redirect them to unfamiliar addresses. Delete any rules that you did not create or approve.
Even if you do not suspect a compromise, it’s wise to regularly check your Outlook inbox rules. This proactive step can help detect and remove any unauthorized configurations before they can be exploited.
When an attacker gains access to an account, the damage can extend far beyond the initial breach. They might steal sensitive data, gain insights into ongoing operations, or facilitate fraud. Taking immediate action and adopting preventative measures can significantly reduce the risk and impact of such incidents.
By resetting passwords, revoking sessions, resetting MFA, and auditing Outlook rules, you can secure compromised accounts and make it harder for attackers to exploit further your m365 environment.