If a Microsoft 365 mailbox is suspected or confirmed to be compromised, the following steps should be carried out immediately to contain the breach, remove any malicious access, and restore account integrity.
1. Reset Credentials
Reset the user’s password immediately.
Ensure the new password is strong, unique, and not reused from any previous accounts.
2. Revoke Active Sessions
Revoke all existing sessions and refresh tokens to force re-authentication across all devices and services.
PowerShell command:Revoke-AzureADUserAllRefreshToken -ObjectId "<user email address>"
3. Enforce Multi-Factor Authentication (MFA)
Enable MFA for the affected account (and ideally all users).
Implement Conditional Access Policies to require MFA for all sign-ins, especially from unfamiliar devices or locations.
4. Remove Malicious Inbox Rules and Forwarding
Review mailbox rules for any that automatically:
Forward emails externally
Move messages to hidden folders (e.g., RSS, Junk, Archive)
Delete any suspicious or malicious rules.
5. Review and Remove Malicious App Consents
Check for unauthorized application consents that may have been granted via OAuth.
Navigate to:
Entra Admin Center → Enterprise Applications → User Settings → Admin Consent RequestsRemove any unrecognized or malicious applications.
6. Notify Affected Parties
Inform internal IT, compliance, and management teams of the incident.
If sensitive data was exposed, notify any external parties or clients who may have been affected, in line with GDPR or organizational incident reporting policies.
7. Post-Incident Actions
Review audit logs for unusual sign-ins or mailbox activity.
Run a Microsoft 365 Security & Compliance investigation (or Defender for Office 365 threat hunting) to identify any other compromised accounts.
Update security policies and training to prevent recurrence.