When an Office 365 compromised account goes unnoticed, attackers can gain access to sensitive business information, send phishing emails, steal data, or spread malware across your organization. A single breached account can quickly turn into a major security incident.
This guide explains how to:
-
Identify the warning signs of a compromised Office 365 account
-
Quickly secure and restore the affected account
-
Remove any attacker persistence (backdoors)
-
Reduce the risk of future compromises with best-practice security controls
By following the steps below, you can protect your users, business data, and overall Microsoft 365 environment from further damage.
Common Symptoms of an Office 365 Compromised Account
Users or admins may notice unusual behavior that indicates unauthorized access. Watch for:
| Warning Sign | Explanation |
|---|---|
| Missing or deleted emails | Attackers may hide traces of their activity |
| Suspicious sent emails | Recipients report emails you did not send |
| No sent items visible | Sent phishing messages may bypass the Sent folder |
| Unusual inbox rules | Emails may be auto-forwarded to external addresses |
| Display name changed | Attackers may impersonate executives or employees |
| Account blocked from sending email | Microsoft detects spam-like sending behavior |
| External forwarding added | A common method attackers use to exfiltrate data |
| Password changed without user action | Indicates credential theft or brute force attack |
| New signatures / fake branding | Often used in financial fraud email scams |
Tools to Investigate Suspicious Activity
- Microsoft Defender Audit Logs: Search audit logs for unusual activities using a date range starting before the breach.
- Entra ID (Azure AD) Sign-In Logs: Check for unusual IP addresses, sign-in locations, and failed login attempts.
- Microsoft 365 Admin Center Test: Run tests to detect compromised accounts. RUN TESTS
Tip: Start investigations with logs from 7 days before the account displayed suspicious activity. This helps uncover early compromise indicators.
How to Secure and Restore an Office 365 Compromised Account (Complete Checklist)
Make sure you complete all the steps — attackers often create multiple persistence points.
Step 1: Reset the User’s Password Immediately
- Perform the sign-out all sessions.
-
Create a strong, unique password (never reuse old passwords)
-
Do not email the new password to the user
-
If synced with on-prem AD, reset on-prem first
-
Remove any previously created app passwords
-
Enable MFA for the account to prevent repeat attacks
Step 2: Remove Suspicious Forwarding Addresses
-
Go to Microsoft 365 Admin Center
-
Select Users → Active Users
-
Open the affected user
-
Check Mail settings → Email forwarding
-
Remove any unknown addresses
Step 3: Delete Suspicious Inbox Rules
Attackers often hide their activity using inbox rules like:
“Move all messages to RSS Feeds / Junk / Archive”.
In Outlook Web:
-
Go to Settings
-
Search: Inbox Rules
-
Delete any unfamiliar or automated rules
Admins can also manage rules using PowerShell – Checkout the CodeTwo guide for Managing the Outlook rules.
Step 4: Remove the Account from the Block/Restricted List
If the account was sending spam, Microsoft may have blocked it. You can also setup the custom Spam Policy.
Microsoft 365 Defender:
Security → Review → Restricted entities → Unblock
Step 5: (Optional) Temporarily Block Sign-In
-
Useful while investigating or if multiple systems are affected.
Admin Center:
-
Users → Select User → Block sign-in
-
Step 6: (If Admin Account Compromised) Remove Admin Roles
Attackers frequently elevate compromised accounts.
-
Go to Entra ID → Roles & Administrators
-
Remove any admin privileges
-
Reassign admin access only after the account is fully secured
Important Security Tip
When an admin account is compromised, attackers may try to create alternate backdoors inside the environment. Before restoring trust, check the following:
| Area to Verify | What to Look For | Why It Matters |
|---|---|---|
| New Admin Accounts | Unknown Global Admin, Exchange Admin, or Helpdesk roles | Attackers often create new admin users to silently re-enter the environment later |
| Exchange Transport Rules | Rules that forward or redirect mail externally | Used for silent email exfiltration without user awareness |
| Exchange Connectors | Unknown inbound/outbound SMTP connectors | Can allow attackers to send mail through your tenant to bypass filters and impersonate users |
| Enterprise App Registrations | OAuth Apps with Access to Mail/Directory Data | Allows attacker persistence even if MFA + password is changed |
| Sharing / Permission Changes | Unusual or excessive SharePoint/Teams sharing | May expose files to attacker-controlled accounts |
Step 7: Notify Affected Users and Review Sent Items
-
Inform contacts if phishing messages were sent
-
Identify if any financial fraud attempts occurred
-
Document findings for compliance or audit requirements
If you would like to Automate the entire process with the PowerShell, Please checkout the guide Published By Office 365 Reports – Automate Compromised Account.
Best Practices to Prevent Office 365 Compromised Accounts
| Best Practice | Benefit |
|---|---|
| Enable MFA for all users | Prevents unauthorized logins even if passwords are stolen |
| Use Conditional Access Policies | Restrict login based on device, location, or risk level |
| Monitor sign-in logs regularly | Helps detect early compromise attempts |
| Security awareness training | Reduces the likelihood of credential-phishing |
| Use strong password policies | Prevents brute force and credential reuse attacks |
| Enable alerts for suspicious activity | Early detection minimizes data loss |
Conclusion
Recovering a Office 365 compromised account requires swift action.
By identifying early warning signs, restoring account security, removing attacker persistence, and strengthening your security posture with MFA and monitoring — you significantly reduce the chances of future breaches.
Proactive prevention is always more effective than recovery.
FAQs
1. What should I do first if an Office 365 account is compromised?
Perform the sign-out all sessions and Reset the password immediately and enable MFA.
2. How do I know if my Office 365 account is hacked?
Look for unexpected sign-in locations, unexplained inbox rules, or unknown forwarding.
3. Does MFA stop Office 365 account compromises?
MFA prevents over 99% of password-based attacks.
📢 Stay Connected!
If you found this guide helpful, make sure to follow us on LinkedIn for more Microsoft 365 security insights, tips, and real-world solutions.
Related Links:-
- Conditional Access for Granular Control.
- Configure Office 365 Defender Policies.
- Connect PowerShell with Exchange Online.
- Configure SMTP Relay in Exchange Online.
2 comments on “How to Detect and Recover an Office 365 Compromised Account (Step-by-Step Guide)”