One of the most common security support requests from our customers is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account.
So, that happened... One way or another, your credentials leaked outside of your organization and bad actors^^ gained access to your account. Maybe you clicked on the link in the phishing email and typed in your login and password on the legitimate-looking phishing website. Or someone stole your notebook that was not protected with the password and Bitlocker encryption, or something else happened...
Now, expect the worst -- bad actors downloaded a copy of your mailbox with all your emails, contacts, attachments, calendar items, tasks, etc. Also, they have all your OneDrive for Business documents and documents shared with you and documents and information that they can access using your account permissions in your company infrastructure. This information could be stored indefinitely and used against you at any time.
Depending on what bad actors see in your mailbox, inside your documents and your organization's systems, they may treat your account differently. The best outcome is when they don't see any opportunity to steal money or information and they use your account to spread laterally^^ INSIDE and OUTSIDE of your organization. They start sending hundreds of phishing emails to your contacts using your name, and your account gets blocked by Microsoft 365 protection mechanisms and that's it. The worst outcome is when bad actors see some potential to steal something and they hide and wait and learn how you and your organization operates over the long-term, often measured in months. During that time, they don't make any obvious and noticeable changes or actions but gather information and try to spread laterally INSIDE your organization to get access to other user accounts, systems, and services that will help them achieve their malicious goals.
Again, we strongly recommend setting multi-factor authentication (MFA) for all users and follow all other prioritized security-related recommendations provided by Microsoft Secure Score service, which is a free service provided by Microsoft as part of your Microsoft 365 subscription.
These instructions will help you take immediate action to recover from the incident. Unfortunately, you will not be able to delete and revoke the messages sent from your account under your name or prevent bad actors from using the information they stole. But with the right combination of user training, internal anti-phishing mail flow rules, MFA, and spam protection, you can easily prevent such account compromises in the future.
^1^ Bad actor -- A cybersecurity adversary that is interested in attacking information technology systems.
^2^ Lateral movement refers to techniques cyberattackers use to progressively move through a network, searching for targeted key data and assets.
^3^ Password spraying is the attack method that takes a large number of usernames (millions) and loops them with a single password. Bad actors can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users with multiple passwords.