One of the most common security support requests we receive from our Microsoft 365 customers is for assistance with remediating an email account compromise. From Microsoft Teams to Exchange Online, Office 365 truly enhances the end user experience; however, with any great tool, there is the opportunity for exploitation. Lately, we have seen many Office 365 accounts compromised through simple phishing attacks. A great deal of users use the same E-Mail address and password for multiple services such as Twitter, Facebook or other cloud services. This practice can become problematic when, as an example, your Twitter account is compromised (along with millions of others) and on top of that you do not use 2-Factor Authentication (2FA) with your Microsoft 365, in this case, you basically invite hackers to try their luck with your Microsoft 365 corporate E-Mail login credentials.
Once a hacker has accessed one of your accounts, from their perspective, the sky is the limit. How many of you have sent a password over email? Even bank account emails or credit card info? Well, it shouldn't take too long for anyone to find it in your mailbox, right?
How do you know your Microsoft 365 account has been compromised?
Open Office Online using the following URL: www.office.com/signin and then the Outlook App. Check your E-Mail rules. Some hackers create a server based e-mail rule to mark any incoming message as read and delete it. This allows a hacker to enter your Deleted folder and reply back to a sender. When the sender subsequently responds to a hacker, thinking it is you, the e-mail rule kicks in and the hacker is able to maintain a conversation without you even being aware.
Then check your Sent and Deleted Items. Were messages sent from your email account but not by you? That is a pretty good sign that your email is compromised. Needless to say, if you do see unexpected messages in your Sent or Deleted folders, reset the user password immediately. Note that some hackers cover their tracks by erasing the emails they have sent from your Sent Items folder. So, be sure to check your Deleted Items as well. If a hacker is smart enough to erase their emails from the Deleted items folder as well, it gets harder to detect suspicious activity on your account.
If you are still not sure whether your account has been compromised, this step may be worth checking. Login to your Microsoft 365 portal https://www.office.com/signin using your credentials. In the upper right corner, click on the circle with your initials (or your photo). In the menu items, select View Account. Click on My Sign-ins in the left pane menu. You'll probably need to re-authenticate. Once the My Sign-Ins page displays, review your or "your" logins. If the status shows as Successful sign-in but the Location and IP address are not matching, it is safe to say you've been hacked and you can click on the Look Unfamiliar? Secure your account link to reset the user password immediately.
How do I prevent this from happening?
Do not use your work E-Mail address and the same password with any other online service. As a matter of fact, try to not even use corporate email for non-business services.
Don't reuse any of your last five passwords. Even though the password history requirement lets you reuse a more recent password, you should select something that a hacker can't guess.
We highly recommend that you enable Multi-Factor Authentication (MFA) in order to prevent compromise, especially for accounts with administrative privileges. To learn more about MFA, go to Set up multi-factor authentication.
Make sure that the password is strong and that it contains upper and lowercase letters, at least one number, and at least one special character.
The previous step is good, but it is hard to believe you will use separate passwords for different services. So use Password Managers apps that keep your password safe and that even have password generators to create new passwords for you. In that case, all you need to know is your PC login password and your Password Manager password.
If your on-premises identity is federated with Microsoft 365, you must change your password on-premises, and then you must notify your administrator of the compromise.
Never share your passwords by means of an email message unless it is an encrypted message.
Never keep passwords in Notes or email folders called Passwords.
Never write them down on yellow stickers, stickied to a monitor or under the keyboard. It sounds funny but one would be surprised how many people do that.
Responding to a Compromised Email Account
1. Change your password.
Open your browser and go to www.office.com.
Click on Sign in
Type your corporate E-Mail address and hit enter.
Enter your Microsoft 365 password.
Click on the circle in the upper right corner with your initials or photo and select View Account.
Click on Password in the left pane menu.
Sign in again if necessary.
Type in your old password first.
Followed by your new password twice.
Submit.
If you don't know your old password at step 4, click on Forgot my password and follow the instructions.
