In This Article

What to Do When an Office 365 Account is Compromised

Danny Murphy | 6 min read| Published On - September 16, 2021

Office 365 Account is Compromised

Access to Office365 is controlled by a User Principal Name (UPN) and a password. These credentials give regular users access to Office 365 services, including Exchange, SharePoint, OneDrive, Teams, and more.

User credentials can be set via Azure Active Directory, or an on-premise Active Directory Domain Controller, if you are using a hybrid setup. Either way, were an attacker to gain access to one of your user accounts, even if the account has limited privileges, there is the potential for them to do a lot of damage. This is why it is crucially important that you know how to spot the warning signs that one of your O365 accounts has been compromised.

Signs of a Compromised Office 365 Accounts

In the majority of cases, attackers will seek to gain access to a user’s email account, which they will use for a variety of nefarious activities. Below are some examples of the types of suspicious activities we can look out for to determine whether an account has been compromised.

  • Emails have disappeared in a suspicious manner.
  • Emails that have been received by a user, don’t exist in the sender’s Sent Items folder.
  • A user’s Sent or Deleted Items folder contains messages that you would typically associate with phishing scams, often containing words that create a sense of urgency.
  • Suspicious email forwarding rules, such as those that automatically forward emails to an unknown address, the Junk Email folder, or copy them to a suspicious location.
  • An email account is blocked from sending emails.
  • Suspicious changes to a user’s profile, including multiple password changes, and changes to their name and contact details.
  • Suspicious signature changes, which might imply that the account is being used to impersonate an executive, or some other trusted authority.

What Should You Do If One of Your Office 365 Accounts is Compromised?

Reset the relevant passwords

The Global Administrator will need to login to the Microsoft 365 Admin Center and reset all relevant passwords. If it looks like multiple accounts have been compromised, you may need to do a global reset. Make sure that you have a strong password policy in place and use multi-factor authentication where possible. It may also be wise to periodically rotate passwords, which includes adopting a solution that enables automated password expiration reminders.

Disable email forwarding

The Global Administrator will need login to the Exchange Online Admin Center and disable email forwarding on the relevant mailboxes. To do this you can go to Recipients > Mailboxes and double-click on the relevant mailbox. You can then click on Mailbox Features > Delivery Options > View Details and disable forwarding for that account. Alternatively, you can remove email forwarding via PowerShell.

Check for suspicious Inbox rules

Attackers will often try to cover their tracks when engaging in nefarious activities involving compromised email accounts, which often involves setting up rules to delete new messages, thus making it harder for the legitimate owner of the account to find out if their account has been compromised. The Global Administrator can review a list of these rules in the Manage Rules & Alerts section within Outlook and delete any rules that seem suspicious. As always, you can manage rules and alerts via PowerShell.

Enable Multi-Factor Authentication

As mentioned previously, in addition to ensuring that you have a strong password policy, it’s a good idea to implement Multi-Factor Authentication (MFA), which will provide an additional level of security. MFA in Office365 is done via Azure Active Directory and provides several options for you to choose from. You can receive a phone call, text message or email, asking you to confirm your identity. However, the recommended option is to use the Microsoft Authenticator App, which will prompt you to either approve or deny the authentication request. Click here for more information about setting up multi-factor authentication in Office365.

Enable mailbox auditing

As of January 2019, mailbox auditing is enabled by default in Office 365. However, this may not be the case for accounts that were setup before this date. In which case, you will need to use PowerShell to enable auditing on all mailbox accounts. For more information about enabling native mailbox auditing in Office 365 using PowerShell.

It’s worth nothing that there are also third-party solutions that provide real-time Office 365 mailbox auditing. One of the many benefits of adopting a third-party solution is that they can aggregate and correlate event data from multiple platforms – both on-premise and “in the cloud”, and display a summary of these events via an intuitive dashboard. They also provide data discovery and classifications tools, threshold alerting, inactive user account management and automatic password expiration reminders. Most sophisticated third-party solutions use machine learning algorithms for advanced anomaly detection and can deliver real-time alerts to your email address or mobile phone.

Set up “threshold alerting”

As briefly mentioned above, some real-time auditing solutions allow you to detect and respond to events that match a pre-defined threshold condition – a technique referred to as “threshold alerting”. This can be very useful for identifying certain anomalies, such as when a user tries (and fails) to login to their account multiple times, or when they change their password multiple times within a short period of time. When the threshold condition is met, a custom script can be executed which can disable a user account, stop a specific process, change the mailbox settings, or in some cases shut down the affected server.

Use Defender for Office 365 (formerly Advanced Threat Protection)

Microsoft Defender for Office 365 is an email filtering service that helps to protect your organization from various forms of malware and viruses. It is included in Office 365 Enterprise E5 and Microsoft 365 Business Premium plans and can be added to several other Office 365 subscription plans. Defender provides the following features:

  • Safe Attachments – Checks any email attachments that come into your inbox to make sure it’s not malicious.
  • Safe Links – Provides time-of-click verification of website addresses in both email messages and Office documents.
  • Spoof Intelligence – Allows you to set up spoof filters that can determine the difference between legitimate activity and malicious activity.
  • Anti-Phishing – Uses machine learning models to identify potential phishing attacks.


Defender also now provides real-time alerts, SIEM integration, protection against user and domain impersonation, and more. Please visit Microsoft’s website for more information about the latest features of Microsoft Defender for Office 365. Alternatively, If you’d like to see how the Lepide Data Security Platform can help you keep your Office 365 accounts secure, schedule a demo with one of our engineers or start your free trial today.

Danny Murphy
Danny Murphy

Danny brings over 10 years’ experience in the IT industry to our Leadership team. With award winning success in leading global Pre-Sales and Support teams, coupled with his knowledge and enthusiasm for IT Security solutions, he is here to ensure we deliver market leading products and support to our extensively growing customer base

See How Lepide Data Security Platform Works
Or Deploy With Our Virtual Appliance

By submitting the form you agree to the terms in our privacy policy.

Popular Blog Posts