My Office 365 Account Was Hacked

If you have Office 365 running in your organization, it is a fantastic upgrade to existing collaboration tools. From Microsoft Teams to Exchange Online, it truly enhances the end user experience. With any great tool, there is the opportunity for exploitation. Lately, we have seen many Office 365 accounts compromised through simple phishing attacks. It starts with a user reporting that emails are bouncing back that they didn’t send. These attacks aren’t complicated, as they prey on the users clicking and entering their username and password (Social Engineering). If this has happened to you, don’t worry. We have come up with some steps to help you in the event of a compromise such as this. Here are 5 easy steps to help you deal with Office 365 compromised accounts:

1. Verify you, in fact, are compromised. Check the message trace to see if you have outgoing mail the users didn’t send. Often it won’t appear in sent items because the hackers will delete with a rule
   -If you do see unexpected messages, reset the user password
2. Check the account for rules. Outlook or mailbox rules are notorious for these kinds of hacks because they use them to either forward messages or delete messages they send.
3. Check your security audit logs. If you have a good Microsoft Consultant, they would have enabled audit logs for your organization. These logs will allow you to determine if you have any sign-in attempts from malicious or unexpected IP addresses. Reviewing the audit logs in Office 365 is a great way to discover what has been accessed, when, and by whom.
4. Check for devices that are attached to the user in OWA. This is a sneaky method the offenders will sometimes use. By connecting their mobile to the account, they can send and receive emails from it.
5. Check for contacts. Sometimes the Hackers will set up some custom contacts to forward email out from Office 365. Look for this and delete them out.

Those 5 simple steps can help you determine and then recover from an Office 365 compromise. Unfortunately, you can’t unsend the messages, but with the right combination of user training, internal phishing (Keystone has some plans) mail flow rules, and spam protection you can help prevent these account compromises in the future.