Home
IT Hub

Handling Compromised Accounts in Office 365

Microsoft
Reco Security Experts
Updated
May 13, 2024
June 7, 2024

Handling Compromised Accounts in Office 365: A Comprehensive Review


Microsoft Office 365, a cornerstone of modern workplace productivity, provides organizations with powerful tools for communication, collaboration, and data management. However, the rise of cyber threats has made Office 365 accounts a prime target for attackers seeking unauthorized access. In this review, we will explore the complexities of compromised accounts within the Office 365 ecosystem and discuss effective strategies for protecting crucial data.

Identifying Compromised Accounts in Microsoft Office 365


Here are the steps to identify a compromised Microsoft Office 365 account.


Suspicious Activity


Suspicious activities involve users receiving emails from a compromised account without the corresponding email in the sender’s Sent Items folder.
Steps to identify missing emails:

  • Go to the URL on security.microsoft.com.
  • Click on email and collaboration.
  • Click on review.
  • Check if there is any suspicious email and move to quarantine from the phishing email section.

Inbox Rules


Inbox rules are a powerful feature in Outlook.com and Outlook on the web that allow you to automatically perform specific actions on email messages that arrive in your inbox. Inbox rules are usually located in the user's Outlook. Bad actors set different rules on users' inboxes to monitor emails, forward emails, and steal sensitive information from the users' profiles.

To check inbox rules in Outlook, follow these steps:

  • Accessing Settings:
    • Log in to your Outlook on the web account.
    • Click on the Settings gear icon in the upper-right corner.
    • Select View all Outlook settings.
  • Navigating to Rules:
    • In the left sidebar, choose Mail.
    • Click on Rules.

Global Address List Changes


The Global Address List (GAL) is a centralized directory in Office 365 that contains email addresses and contact information for all users within an organization. To view the Global Address List (GAL) in Outlook, follow these steps:

Remember, the Global Address List contains contact data for every associated user in an Exchange organization or tenant. It’s a shared address book accessible through Outlook!

Unusual Signatures


Unusual Signatures are often referred to as “disclaimers”. These disclaimers can be added to email messages that enter or leave your organization, for example, a fake banking signature or a prescription drug signature.


To check signatures on the user’s Outlook, kindly follow the steps below:

  • Open Outlook.
  • Go to the View tab and select View Settings.
  • Click on Email
  • Check if there are strange signatures. using strange signatures is by adding a different one the user used
  • Save your changes.

Profile Modifications


Profile modifications include changes to name, telephone number, or postal code. Bad actors might change the user's name and email from admin.microsoft.com.

To check if the details of the user was changed, kindly follow the steps below:

  • Log in to the Microsoft 365 admin center using your administrator credentials.
  • Navigate to Users > Active users.
  • Select the username of the user you want to modify.
  • On the Account tab, click Manage contact information.
  • Update the user’s display name as desired.
  • Click Save changes.

Frequent Password Changes


Frequent password changes are indicative of unauthorized access attempts. Users should always check sign-in logs to see if a password was changed.

Steps to check if there was a frequent change in the user’s password:

  • Login to the Entra ID portal on entra.microsoft.com.
  • Click on All Users on the left-hand side.
  • Click on Audit.
  • Click on the user and investigate who changed the password.

Immediate Steps to Mitigate a Compromised Account


Office 365 sign-in logs record user authentication events, including successful and failed sign-ins, as well as suspicious activity. Analyzing these logs enables administrators to detect potential security threats.


Steps to Check the Sign in Logs

  • Sign in to the Microsoft Entra admin center on entra.microsoft.com as an Authentication Policy Administrator.
  • Navigate to Identity and then select Users > All users from the left-hand menu.
  • On the left-hand side, click on Sign-in logs. You’ll see a list of sign-in events, including their status.

Examine the values in these columns:

  • Review IP address - Review the IP address of your users.
  • Sign-in locations - Review the locations and know if anyone has signed in from a strange location into the user's mailbox.
  • Sign-in times - The amount of times the user signs in.
  • Sign-in success or failure - You can see if the user sign-in was successful or not.


Recovering and Securing a Compromised Account


Reset the User Password


When resetting a password, avoid sending it via email, as the attacker may still have access to the mailbox. Ensure your password meets security standards: use a combination of upper and lowercase letters, at least one number, and at least one special character. Even if the password history requirement permits it, refrain from reusing any of the last five passwords. Opt for a unique password that the attacker cannot easily guess.


Steps to Reset a User Password

  • Sign in to the Microsoft 365 admin center using your admin account.
  • Navigate to the Users > Active users page.
  • Select the user whose password needs to be reset.
  • Click on Reset password.
  • Follow the instructions on the Reset password page.
  • You can either auto-generate a new password for the user or create one manually.
  • Enter your email address to receive the new password.
  • Send the new password to the user’s alternate email address or provide it in person.

Navigate to the admin portal on the URL admin.microsoft.com, select the username, and click on reset password.

Sign Out of All Sessions on the User Account


To sign out a user from all sessions in Office 365, follow these steps:

  • Log in to the Microsoft 365 admin center.
  • Navigate to Users > Active users.
  • Select the user’s name.
  • Under the Account tab, click Sign out of all sessions.

Within an hour (or after they leave the current Microsoft 365 page), the user will be prompted to sign in again. Keep in mind that an access token is valid for an hour, so the exact timeline depends on the remaining time on that token and whether the user leaves the current webpage.

Remove Suspicious Email Forwarding Addresses

  • In the Microsoft 365 admin center at https://admin.microsoft.com, go to Users > Active users. Or, to go directly to the Active users page, use https://admin.microsoft.com/Adminportal/Home#/users.
  • On the Active Users page, find the user account and select it by clicking anywhere in the row other than the check box next to the name.
  • In the details flyout that opens, select the Mail tab.
  • The value Applied in the Email forwarding section indicates that mail forwarding is configured on the account.
  • Select Manage email forwarding, clear the Forward all email sent to this mailbox check box in the Manage email forwarding flyout that opens, and then select Save changes.

Disable Suspicious Inbox Rules

  • Sign in to the user's mailbox using Outlook on the web.
  • Select Settings (gear icon) at the top right corner, and click on rules.

On the Rules tab of the flyout that opens, review the existing rules and turn off or delete any suspicious rules.

Unblock the User from Sending Mail from the Security Portal


If the account was used to send spam or a high volume of emails, it's likely that the mailbox has been blocked from sending emails.

To unblock a mailbox from sending email, follow the steps below:

  • Microsoft Defender Portal:
    • Open the Microsoft Defender portal by visiting security.microsoft.com
    • Navigate to Email & collaboration > Review > Restricted entities.
    • On the Restricted entities page, identify the user account you want to unblock.
  • Unblock the User:
    • Once on the Restricted entities page, find the user account you wish to unblock.
    • Take the necessary action to unblock the user.

Setup Multi Factor Authentication


Multi Factor Authentication (MFA) is a crucial security measure to protect your Office 365 accounts. By requiring users to provide more than one method of authentication during sign-in, you significantly enhance security. Here’s how you can set up MFA in Office 365:

In the Microsoft 365 admin center:

  • Sign in as a Global Admin:
    • To manage MFA, you need to be a Global admin. If you’re not already, make sure you have the necessary permissions.
  • Choose Your Approach:
    • Microsoft 365 for Business offers two options for enabling MFA: some text
      • Security Defaults: These are suitable for most organizations and provide a good level of sign-in security.
      • Conditional Access Policies: Use these if your organization has more stringent requirements.
  • Turn On MFA:
    • Sign in to the Microsoft 365 admin center as a Global Administrator.
    • Go to Identity > Overview > Properties.
    • Select Manage security defaults and set it to Enabled. Save your changes.
  • Turn Off Per-User MFA (if applicable):some text
    • If you’ve previously turned on per-user MFA, disable it before enabling security defaults.
    • In the Microsoft 365 admin center:
      • Navigate to Users > Active users.
      • Choose Multi Factor Authentication.
      • For each user, set their MFA status to Disabled.

Best Practices for Preventing Future Account Compromises


Train Your Employees


Why
: Educate users about phishing attacks, social engineering, and safe online practices.

How: Conduct regular security awareness training sessions and provide resources on identifying suspicious emails and links.


Manage User Accounts and Permissions


Why
: Properly manage user access to sensitive data and applications.

How: Regularly review user permissions, remove unnecessary access, and follow the principle of least privilege.


Protect All Devices


Why
: Ensure that all devices (computers, mobile phones, tablets) accessing Office 365 are secure.

How: Implement device management policies and enforce security measures.


Monitor and Audit Your Security Policies


Why
: Regularly review security policies and assess their effectiveness.

How: Use audit logs and monitoring tools to track user activity and identify anomalies.


Conclusion


Remember that a combination of technical controls, user education, and proactive monitoring is essential for maintaining a secure Office 365 environment. Stay vigilant and keep your organization protected!

Explore More
See more articles from our Hub

Start Securing Your Entire SaaS Lifecycle

Request a demo