Your Office 365 account HAS BEEN compromised or hacked. What’s next?
One of the most common security support requests from our customers is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.
Security threats and data protection are one of the significant challenges that businesses face in today`s modern enterprise. More and more employees become victims of a phishing scam when attackers gain access to their accounts and confidential data.
Understanding how accounts are actually compromised can help you protect them and avoid from being “hacked”. IT Partner offers expert level security support services and provides assistance with remediating compromised accounts.
If your Office 365 subscription has been compromised, your accounts may be blocked to defend you and your contacts. The hijacker may have added back-door entries to your account which empowers attacker to regain control of your account even after you have recovered it. To fix such issues, you must complete the following instructions within five minutes of regaining access to your account.
These steps allow you to get rid of any back-door entries added to your account:
- Block user sign-in.
- Go to Office365 Admin Center – https://admin.microsoft.com/
- Expand “Users” and press “Active users”
- Select user that you need and block sing-in
- Confirm blocking
- Press “Save Changes”
- Check O365 environment
- Check user sing-in log. Go to https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers
- Press on the user name and select “Sign-ins”
- Here you can find the user`s last login information. Please check if all the locations and IP addresses are correct and make sure your employee has used the devices in the locations and IP addresses displayed on the screen. If not, then most likely these authorizations belong to attackers, which means the user credentials have been compromised.
- Check the message flow to identify suspicious emails that might have been sent on behalf of the user. Go to Exchange Online Admin Panel – https://outlook.office365.com/ecp
- Click “Message flow”, then select “Message Trace” tab.
- Select user by pressing “add sender” and press “search”
- Сheck all outgoing messages for suspicious emails.
- Also check tabs “rules” and “connectors” for any strange data
- Check all user’s workstations, laptops and mobile devices.
- Install AV software, for example https://malwarebytes.com/ or any other
- Run full scan and check results.
- Install all Windows updates.
- Next, determine the source and possible leak ways.
- According to the results obtained in the second and third paragraph
- Ask the user about any recently lost devices.
- Ask the user about any suspicious situations and actions, like download and open strange attachments, software installation, visited web-sites and others
- Ask the user about any public Wi-Fi networks he used.
- Eliminate the source of infection, if found.
- Reset user password and unlock account.
- Press a key picture and reset user password, then unlock the user account.
- We also strongly recommend to set MFA authentification fol all users, you can use Microsoft instruction https://docs.microsoft.com/en-us/office365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide
Or ask our support-service to implement it.
These instructions will help you take immediate actions to recover from an Office 365 compromise. Unfortunately, you will not be able to delete and revoke the messages after you have sent them or resolve other damage issues. But with the right combination of user training, internal phishing mail flow rules, and spam protection you can easily prevent such account compromises in the future.
IT Partner is always ready to help you build a safe and secure environment and protect your sensitive data.