Email remains one of the most common entry points for cyber attacks. If your Microsoft 365 account is compromised, acting quickly can significantly reduce the impact on your organisation. From data theft to fraudulent payment requests, the consequences can escalate fast, but with the right steps, you can regain control and protect your environment.
This guide outlines the common warning signs, what to do immediately, and how to prevent it happening again.
Signs that your Microsoft 365 account may be compromised
Compromised accounts don’t always announce themselves clearly. However, some common symptoms include:
1. Unusual login activity
You may receive alerts about sign-ins from unfamiliar locations, devices, or IP addresses.
2. Password reset notifications
If you receive password reset emails you didn’t request, this may indicate someone is attempting to access your account.
3. Emails in your sent items you didn’t send
Check your “Sent Items” folder. Cyber criminals often send phishing emails from compromised accounts to target colleagues or contacts.
4. Mailbox rules you don’t recognise
Attackers frequently set up hidden inbox rules to forward emails externally or delete replies to hide their activity.
5. Locked account
Multiple failed login attempts can trigger automatic account lockouts.
6. Suspicious financial requests
Colleagues or contacts may report unusual payment requests or urgent emails supposedly sent by you.
7. Your mailbox is blocked from sending email.
If spam is being sent from your account, existing security settings may mean that your account has resulted in emails being blocked.
8. Missing or deleted emails
If the attacker has added mailbox rules, this may result in some of your emails going missing.
9. Address list changes
Changes to the user’s contact in the Global Address List (GAL), such as altered names and telephone numbers.
10. Incorrect email signatures
Suspicious email message signatures that you didn’t set – these might contain fake details such as incorrect telephone numbers
If you notice any of these warning signs, take immediate action and escalate to relevant colleagues.
Immediate steps to take
1. Disable the account
If possible, this is highly recommended until you complete the investigation and the account is secured.
2. Reset the password immediately
Change the password to something strong and unique. If you cannot access the account, contact your IT provider or administrator to force a password reset.
Do not send the new password to the user via email, as the attacker could still have access to emails at this point.
3. Enable or enforce multi-factor authentication (MFA)
If MFA is not already enabled, turn it on immediately. If it is enabled, check whether the attacker added their own authentication method and remove it.
4. Revoke user access
From the Microsoft 365 admin centre (or via Azure/Entra ID), revoke active sessions to force sign-out across all devices.
5. Review sign-in logs
This determine how access was gained, Administrators should check Microsoft Entra ID sign-in logs to identify:
- Suspicious IP addresses
- Geographic anomalies
- Repeated login attempts
6. Remove malicious inbox rules
Review mailbox rules and delete anything unfamiliar as attackers often use these to maintain access. Also check for:
- Forwarding addresses
- Reply-to address changes
- Delegated mailbox permissions
7. Scan devices for malware
If the compromise originated from a phishing link or malware infection, run a full antivirus and endpoint security scan on the affected device.
8. Notify affected parties
If suspicious emails were sent from the compromised account:
- Inform colleagues and contacts
- Warn them not to click links or open attachments
- Advise them to delete the message
9. Check for wider impact
Administrators should verify whether the attacker accessed:
- SharePoint or OneDrive files
- Teams conversations
- Other connected applications
You may need to conduct a broader security review.
Future prevention
Once the account is secured, focus on prevention.
1. Enforce multi-factor authentication for all users
MFA dramatically reduces the likelihood of account takeover. Ideally, implement conditional access policies to block risky sign-ins.
2. Use strong password policies
Encourage long, unique passwords or passphrases. Avoid password reuse across systems.
3. Implement device-based conditional access
Allow sign-ins from company devices only and restrict sign-ins from high-risk countries or require additional verification for unusual login attempts. This can be extended to stipulate that only compliant devices are permitted.
4. Provide cyber security training and phishing simulations
Most compromises begin with phishing emails. Regular awareness training helps staff recognise:
- Fake login pages
- Urgent payment scams
- Suspicious attachments
5. Use email filtering
Advanced email filtering helps block malicious links and attachments before users interact with them.
6. Polices for compromised accounts
Use settings to block accounts if users send over a certain number of emails per hour – this would stop emails being sent in the event of an account being compromised and sending spam emails. This number needs to be appropriately set for the role of the user.
7. Restrict access on company devices
Block users from accessing non-work-related email services on company devices. This prevents them accessing malicious emails in personal accounts that may bypass security settings.
8. Monitor for Suspicious Activity
Set up alerts for:
- Impossible travel logins
- Multiple failed login attempts
- Mailbox forwarding rule creation
9. Regularly Audit Accounts
Review active users, admin privileges, and authentication methods periodically. Remove unused accounts promptly.
When to seek professional support
If you suspect data has been accessed, sensitive information exposed, or financial fraud attempted, escalate the incident immediately. Quick expert intervention can contain risk and prevent recurrence, you may need:
- A full security audit
- Forensic investigation
- Data breach assessment
- Reporting to relevant authorities (depending on jurisdiction)
Final thoughts
A compromised Microsoft 365 email account can be highly disruptive. Prompt, structured action can limit the consequences. Reset credentials, secure authentication, review configurations, and notify affected parties immediately. Then strengthen your defences to reduce the chance of it happening again.
Cyber security isn’t just about responding to incidents, it’s about building resilient systems and informed users that make compromise far less likely in the first place.
If you’re unsure whether your Microsoft 365 environment is fully secure, consider arranging a security review to identify vulnerabilities – you can contact us here.