Among Office 365 customers, it is fairly common to get security support requests for remediating compromised accounts. When hackers manage to obtain the password for an Office 365 account, they would have access to information directly coming from a member of a specific organization, posing plenty of dangers for internal and external contacts alike.
So what do you do if you believe an account (or multiple accounts) in your organization have been compromised? First, you need to confirm that a breach occurred by reviewing suspicious activity in the emails. Then, you will have to reset the password, disable changes, and strengthen existing security to prevent the hackers from re-entering the account.
Why Office 365 Accounts Get Hacked and What It Means For You
In 2019, research showed that more and more hackers were targeting Microsoft Office 365 accounts and managed to infiltrate them successfully. Around 29% of the organizations included in the study were compromised in March 2019 alone. Even government offices experienced having their email accounts and exchanges infiltrated by foreign hackers. As more and more people stay at home to work during the COVID-19 pandemic, cybercriminals continue to attack financially-pressured and vulnerable employees through their Office 365 accounts as well.
It seems that hackers are focusing on Microsoft accounts because Office 365 has become the core of many businesses. Once an attacker manages to access one account, they essentially have a gateway to your organization’s entire business network. From there, they could download a copy of all your emails, tasks, contacts, attachments, calendar items, and customer data. They can even store the files and business documents shared on OneDrive and use these against you at any time.
An Office 365 account usually becomes compromised if a member of the organization falls victim to a phishing scheme. The best case scenario is that the cybercriminals don’t see any opportunity to steal money or information; instead, they use your account to send hundreds of phishing emails to your contacts — until Office 365 blocks the account. However, the worst outcome would be if they see you have admin privileges or if they suspect they can potentially steal something from you.
When this happens, the hacker would wait and hide to see how your organization operates without letting you notice any obvious changes. They will gather information and try to access other accounts or services inside your organization. They may also gather data about your clients and compromise them as well.
How to Check If Your Account Was Compromised
Account compromise occurs when a cybercriminal manages to take control of a business account. Cyberattacks are a powerful threat to cloud-based business environments because they can access multiple applications and target other accounts by gaining access to one.
So how would you be able to tell if your Office 365 account was compromised? Microsoft has listed signs and symptoms you should look out for if you suspect that something is wrong:
- Inability to access account(s) or sign-in issues
- Missing or deleted emails
- Phishing attacks or spam emails sent internally or to clients by internal users
- Unauthorized changes to the user account profile like updates to the name, phone number, and postal code
- Suspicious logins or multiple failed login attempts
- Multiple password resets from unknown locations
- Suspicious configuration changes or new inbox rules such as auto-forwarding emails
- Unusual signatures or out-of-office messages added to emails
- Sent or Deleted folders contain hacked-account messages
- User’s mailbox blocked from sending emails
- Display name changed on Global Address List
- Unusual inbox activity such as emails with a high number of BCC recipients
If you see any of the above symptoms, it’s best to perform further investigation using the tools provided by the Microsoft 365 Security & Compliance Center, as well as Azure Portal:
|Unified audit logs||Allows you to review all activities on a suspected account by filtering the results for the date range, spanning from immediately before any suspicious activity occurred to the current date|
|Admin audit logs||Allows you to search and view entries in the Exchange Admin Center based on the Exchange Online PowerShell cmdlets so you can see information on what cmdlet was run by whom, which parameters they used and what objects were affected|
|Azure AD sign-in logs||Allows you to examine risk reports in the Azure AD portal, as well as review IP addresses, sign-in locations, sign-in times, and sign-in successes or failures|
|Contact audit logs||Allows you to see and delete if hackers managed to set custom contacts for email forwarding out of Office 365|
|Device audit logs||Allows you to disconnect any mobile devices a hacker might have connected to the account through the Outlook Web App (OWA)|
6 Steps To Take If Your Office 365 Account Was Hacked
In the event that you were compromised by an attacker, it’s important not to panic while trying to think of what to do next. As much as possible, you will have to act quickly to prevent the hacker from regaining account access. You also need to be thorough in locking the intruder out and ensuring they won’t creep back in through backdoor entries they added.
After notifying the admin and your IT department, here are 6 steps you should take immediately:
- Change your password immediately.
Reset your password to contain both uppercase and lowercase letters, at least one number, and at least one special character. Avoid reusing any of your last 5 passwords; choose something that is difficult to guess. You should also update all your app passwords as well. Be sure to avoid sending the reset code to the infected account.
- Remove any suspicious email-forwarding addresses.
Open the Microsoft 365 Admin Center and click on Active Users to find the account in question. Expand the mail settings and click Edit on email forwarding. Remove any suspicious or unfamiliar email addresses.
- Disable suspicious inbox rules.
Sign into the user’s inbox using Outlook on the web and click on Settings (the gear icon). Click on the mail to review Inbox and Sweep rules, then disable any suspicious rules. You should also check if the Exchange account is using a rule to auto-forward information to an address.
- Check for any changes to the signature or out-of-office replies.
Hackers sometimes add malicious links to your signature or out-of-office replies. Double-check on these to confirm no changes were made to the user account. You should also look at your contact information and addresses for any strange links.
- Unblock users from sending mail.
Microsoft 365 automatically blocks the mailbox from sending mail if it detects spam mail being sent. They have a complete guide for unblocking here. Of course, you may opt to block the account from signing-in until you think it is safe to re-enable access.
- Follow precautionary steps.
Verify any of the sent emails and check with contacts to see if they received hacked-account messages, like the sender pretended to be stranded in another country and asked for money. It’s good to warn them ahead so they avoid clicking on phishing links as well.
Activate multi-factor authentication (MFA) for all your accounts and see if alternative accounts were compromised too. For good measure, you may also perform a virus scan to check if your computer picked something up.
Let Abacus Shore Up Your Defenses
Even small and medium-sized companies should pay extra attention to their cybersecurity. Although it may seem insignificant and tedious to change passwords or enable MFA, it can save your company from security-related headaches in the long-run.
Let Abacus worry about cybersecurity for you. With our comprehensive, multi-layered security plan that can fit your company’s needs, you can rest easy over cybersecurity functions like system security patching, system monitoring, vulnerability assessments, and more. Contact us today to learn more about our services.