Responding to a Compromised Microsoft 365 Mailbox

Work through these steps in order. Do not stop after step 1 — a password reset alone is not enough.

Step 1 — Reset the password

1. Admin Centre (admin.microsoft.com) → Active Users → select user → Reset Password
2. Use a strong, unique password of at least 16 characters — don't reuse any previous password
3. Tick Require this user to change their password when they first sign in
4. Tell the user the new password by phone — not by email

If the attacker already changed the password, use Admin > Active Users > Reset Password to force a new one.

Step 2 — Kill all active sessions

1. Admin Centre → Active Users → select user → Account → Sign out of all sessions
2. Entra ID (entra.microsoft.com) → Users → select user → Revoke sessions
3. Wait a few minutes, then check Entra ID sign-in logs for any new activity

A password reset alone won't remove active sessions. The attacker may still hold valid OAuth tokens — this step kills them.

Step 3 — Enable MFA and clean up auth methods

1. Entra ID → Users → Per-user MFA (or Conditional Access) → enable MFA for the account
2. Entra ID → Users → select user → Authentication methods — remove anything the user doesn't recognise (authenticator apps, phone numbers, FIDO keys)
3. Require the user to register a fresh MFA method at next sign-in

If the attacker registered their own MFA method, simply enabling MFA won't stop them — they'll approve their own prompt. Always audit the registered methods.

Step 4 — Remove malicious inbox rules and forwarding

1. Outlook on the web (outlook.office.com, as the user or via admin impersonation) → Settings → Mail → Rules — delete any rules not created by the user
2. Settings → Mail → Forwarding — disable forwarding; note any external address for your investigation
3. Exchange Admin Centre → Recipients → Mailboxes → select user → Delegation — remove unknown delegates (Send As, Send on Behalf, Full Access)

Also run in Exchange Online PowerShell:

Attackers often create hidden rules to silently delete bounce-backs and security alerts so the user never notices the breach.

Step 5 — Remove malicious OAuth app consents

1. Entra ID → Enterprise Applications → filter by the user → review all consented apps
2. Revoke consent for any app you don't recognise
3. Watch especially for apps with Mail.Read, Mail.Send, or Mail.ReadWrite permissions

A malicious OAuth app can retain access to the mailbox even after a password reset and session revocation. This is one of the most common persistence mechanisms.

Step 6 — Check connected devices and mail clients

1. Entra ID → Users → Devices — remove any device the user doesn't recognise
2. Exchange Admin Centre → Recipients → Mailboxes → select user → Mobile Devices — remove unknown ActiveSync devices
3. If your organisation doesn't use IMAP/POP/SMTP, disable them via authentication policies

Legacy protocols bypass MFA entirely and are a common entry point — disable them unless there's a documented reason to keep them.

Step 7 — Warn recipients

1. Get the full recipient list: Exchange Admin Centre → Mail flow → Message trace → set sender to the compromised account → run and export
2. Send a warning from a senior contact — not from the compromised account — advising recipients to delete the suspicious emails without opening attachments or clicking links
3. If any recipients say they opened an attachment or clicked a link, treat their accounts as potentially compromised

Don't delay notifying recipients while waiting for the full investigation — send warnings as soon as containment is confirmed.

Step 8 — Harden the rest of the tenant

Once this account is secured, take these steps across the whole tenant:

• Enable Security Defaults or Conditional Access to require MFA for all users
• Disable legacy auth protocols (POP, IMAP, SMTP AUTH) unless there's a documented reason not to
• Review all Global Admin and Exchange Admin accounts for unexpected additions
• Enable Unified Audit Logging if not already active — essential for the investigation