{"id":4834,"date":"2023-07-17T12:49:13","date_gmt":"2023-07-17T19:49:13","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4834"},"modified":"2023-07-17T12:49:16","modified_gmt":"2023-07-17T19:49:16","slug":"how-to-secure-and-restore-a-compromised-microsoft-365-mailbox","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4834","title":{"rendered":"How to Secure and Restore a Compromised Microsoft 365 Mailbox"},"content":{"rendered":"\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\"><\/div><\/div>\n\n\n\n<p>Even after the user regains access to their account, the attacker might have left back-door entries that allow the attacker to resume control of the account.<\/p>\n\n\n\n<p>Do&nbsp;<strong>all<\/strong>&nbsp;of the following steps to regain control of the account. Go through the steps as soon as you suspect a problem and as quickly as possible to make sure that the attacker doesn&#8217;t resume control of the account. These steps also help you remove any back-door entries that the attacker might have added to the account. After you do these steps, we recommend that you run a virus scan to make sure that the client computer isn&#8217;t compromised.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-1-reset-the-users-password\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-1-reset-the-users-password\">Step 1: Reset the user&#8217;s password<\/h3>\n\n\n\n<p>Follow the procedures in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/admin\/add-users\/reset-passwords?view=o365-worldwide#reset-my-admin-password\">Reset a business password for someone<\/a>.<\/p>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Don&#8217;t send the new password to the user through email, because the attacker still has access to the mailbox at this point.<\/li><li>Be sure to use a strong password: upper and lowercase letters, at least one number, and at least one special character.<\/li><li>Even if the password history requirement allows it, don&#8217;t reuse any of the last five passwords. Use a unique password that the attacker can&#8217;t guess.<\/li><li>If the on-premises identity is federated with Microsoft 365, you must change the on-premises account password on-premises, and then notify the administrator of the compromise.<\/li><li>Be sure to update app passwords. App passwords aren&#8217;t automatically revoked when you reset the password. The user should delete existing app passwords and create new ones. For instructions, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/user-help\/multi-factor-authentication-end-user-app-passwords#create-and-delete-app-passwords-from-the-additional-security-verification-page\">Create and delete app passwords from the Additional security verification page<\/a>.<\/li><li>We highly recommended that you enable multi-factor authentication (MFA) for the account. MFA is a good way to help prevent account compromise, and is very important for accounts with administrative privileges. For instructions, see&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/admin\/security-and-compliance\/set-up-multi-factor-authentication?view=o365-worldwide\">Set up multi-factor authentication<\/a>.<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-2-remove-suspicious-email-forwarding-addresses\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-2-remove-suspicious-email-forwarding-addresses\">Step 2: Remove suspicious email forwarding addresses<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>In the Microsoft 365 admin center at&nbsp;<a href=\"https:\/\/admin.microsoft.com\/\">https:\/\/admin.microsoft.com<\/a>, go to&nbsp;<strong>Users<\/strong>&nbsp;&gt;&nbsp;<strong>Active users<\/strong>. Or, to go directly to the&nbsp;<strong>Active users<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users\">https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users<\/a>.<\/li><li>On the&nbsp;<strong>Active users<\/strong>&nbsp;page, find the user account, and select it by clicking anywhere in the row other than the check box next to the name.<\/li><li>In the details flyout that opens, select the&nbsp;<strong>Mail<\/strong>&nbsp;tab.<\/li><li>The value&nbsp;<strong>Applied<\/strong>&nbsp;in the&nbsp;<strong>Email forwarding<\/strong>&nbsp;section indicates that mail forwarding is configured on the account.Select&nbsp;<strong>Manage email forwarding<\/strong>, clear the&nbsp;<strong>Forward all email sent to this mailbox<\/strong>&nbsp;check box in the&nbsp;<strong>Manage email forwarding<\/strong>&nbsp;flyout that opens, and then select&nbsp;<strong>Save changes<\/strong>.<\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-3-disable-suspicious-inbox-rules\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-3-disable-suspicious-inbox-rules\">Step 3: Disable suspicious Inbox rules<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign in to the user&#8217;s mailbox using Outlook on the web.<\/li><li>Select&nbsp;<strong>Settings<\/strong>&nbsp;(gear icon), enter &#8216;rules&#8217; in the&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-search-icon.png?view=o365-worldwide\">&nbsp;<strong>Search<\/strong>&nbsp;box, and then select&nbsp;<strong>Inbox rules<\/strong>&nbsp;from the results.<\/li><li>On the&nbsp;<strong>Rules<\/strong>&nbsp;tab of the flyout that opens, review the existing rules, and turn off or delete any suspicious rules.<\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-4-unblock-the-user-from-sending-mail\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-4-unblock-the-user-from-sending-mail\">Step 4: Unblock the user from sending mail<\/h3>\n\n\n\n<p>If the account was used to send spam or a high volume of email, it&#8217;s likely that the mailbox has been blocked from sending mail.<\/p>\n\n\n\n<p>To unblock a mailbox from sending email, follow the procedures in&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/removing-user-from-restricted-users-portal-after-spam?view=o365-worldwide\">Remove blocked users from the Restricted entities page<\/a>.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-5-optional-block-the-user-account-from-signing-in\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-5-optional-block-the-user-account-from-signing-in\">Step 5 Optional: Block the user account from signing-in<\/h3>\n\n\n\n<p>&nbsp;Important<\/p>\n\n\n\n<p>You can block the account from signing-in until you believe it&#8217;s safe to re-enable access.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Do the following steps in the Microsoft 365 admin center at&nbsp;<a href=\"https:\/\/admin.microsoft.com\/\">https:\/\/admin.microsoft.com<\/a>:<ol><li>Go to&nbsp;<strong>Users<\/strong>&nbsp;&gt;&nbsp;<strong>Active users<\/strong>. Or, to go directly to the&nbsp;<strong>Active users<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users\">https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users<\/a>.<\/li><li>On the&nbsp;<strong>Active users<\/strong>&nbsp;page, find and select the user account from the list by doing one of the following steps:<ul><li>Select the user by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-no-icon.png?view=o365-worldwide\">&nbsp;<strong>Block sign-in<\/strong>&nbsp;at the top of the flyout.<\/li><li>Select the user by selecting the check box next to the name. Select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-more-actions-icon.png?view=o365-worldwide\">&nbsp;<strong>More actions<\/strong>&nbsp;&gt;&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-no-icon.png?view=o365-worldwide\">&nbsp;<strong>Edit sign-in status<\/strong>.<\/li><\/ul><\/li><li>In the&nbsp;<strong>Block sign-in<\/strong>&nbsp;flyout that opens, read the information, select&nbsp;<strong>Block this user from signing in<\/strong>, select&nbsp;<strong>Save changes<\/strong>, and then select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-close-icon.png?view=o365-worldwide\">&nbsp;<strong>Close<\/strong>&nbsp;at the top of the flyout.<\/li><\/ol><\/li><li>Do the following steps in the Exchange admin center (EAC) at&nbsp;<a href=\"https:\/\/admin.exchange.microsoft.com\/\">https:\/\/admin.exchange.microsoft.com<\/a>:<ol><li>Go to&nbsp;<strong>Recipients<\/strong>&nbsp;&gt;&nbsp;<strong>Mailboxes<\/strong>. Or, to go directly to the&nbsp;<strong>Mailboxes<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/admin.exchange.microsoft.com\/#\/mailboxes\">https:\/\/admin.exchange.microsoft.com\/#\/mailboxes<\/a>.<\/li><li>On the&nbsp;<strong>Mailboxes<\/strong>&nbsp;page, find and select the user from the list by doing one of the following steps:<ul><li>Select the user by clicking anywhere in the row other than the round check box that appears next to the name.<\/li><li>Select the user by selecting the round check box that appears next to the name, and then selecting the&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-edit-icon.png?view=o365-worldwide\">&nbsp;<strong>Edit<\/strong>&nbsp;action that appears on the page.<\/li><\/ul><\/li><li>In the details flyout that opens, do the following steps:<ol><li>Verify the&nbsp;<strong>General<\/strong>&nbsp;tab is selected, and then select&nbsp;<strong>Manage email apps settings<\/strong>&nbsp;in the&nbsp;<strong>Email apps &amp; mobile devices<\/strong>&nbsp;section.<\/li><li>In the&nbsp;<strong>Manage settings for email apps<\/strong>&nbsp;flyout that opens, disable all of the available settings by changing the toggles to&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/scc-toggle-off.png?view=o365-worldwide\">&nbsp;<strong>Disabled<\/strong>:<ul><li><strong>Outlook desktop (MAPI)<\/strong><\/li><li><strong>Exchange Web Services<\/strong><\/li><li><strong>Mobile (Exchange ActiveSync)<\/strong><\/li><li><strong>IMAP<\/strong><\/li><li><strong>POP3<\/strong><\/li><li><strong>Outlook on the web<\/strong><\/li><\/ul>When you&#8217;re finished in the&nbsp;<strong>Manage settings for email apps<\/strong>&nbsp;flyout, select&nbsp;<strong>Save<\/strong>, and then select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-close-icon.png?view=o365-worldwide\">&nbsp;<strong>Close<\/strong>&nbsp;at the top of the flyout.<\/li><\/ol><\/li><\/ol><\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-6-optional-remove-the-suspected-compromised-account-from-all-administrative-role-groups\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-6-optional-remove-the-suspected-compromised-account-from-all-administrative-role-groups\">Step 6 Optional: Remove the suspected compromised account from all administrative role groups<\/h3>\n\n\n\n<p>&nbsp;Note<\/p>\n\n\n\n<p>You can restore the user&#8217;s membership in administrative role groups after the account has been secured.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>In the Microsoft 365 admin center at&nbsp;<a href=\"https:\/\/admin.microsoft.com\/\">https:\/\/admin.microsoft.com<\/a>, do the following steps:<ol><li>Go to&nbsp;<strong>Users<\/strong>&nbsp;&gt;&nbsp;<strong>Active users<\/strong>. Or, to go directly to the&nbsp;<strong>Active users<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users\">https:\/\/admin.microsoft.com\/Adminportal\/Home#\/users<\/a>.<\/li><li>On the&nbsp;<strong>Active users<\/strong>&nbsp;page, find and select the user account from the list by doing one of the following steps:<ul><li>Select the user by clicking anywhere in the row other than the check box next to the name. In the details flyout that opens, verify the&nbsp;<strong>Account<\/strong>&nbsp;tab is selected, and then select&nbsp;<strong>Manage roles<\/strong>&nbsp;in the&nbsp;<strong>Roles<\/strong>&nbsp;section.<\/li><li>Select the user by selecting the check box next to the name. Select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-more-actions-icon.png?view=o365-worldwide\">&nbsp;<strong>More actions<\/strong>&nbsp;&gt;&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-manage-roles-icon.png?view=o365-worldwide\">&nbsp;<strong>Manage roles<\/strong>.<\/li><\/ul><\/li><li>In the&nbsp;<strong>Manage admin roles<\/strong>&nbsp;flyout that opens, do the following steps:<ul><li>Record any information that you want to restore later.<\/li><li>Remove administrative role membership by selecting&nbsp;<strong>User (no admin center access)<\/strong>.<\/li><\/ul>When you&#8217;re finished in the&nbsp;<strong>Manage admin roles<\/strong>&nbsp;flyout, select&nbsp;<strong>Save changes<\/strong>.<\/li><\/ol><\/li><li>In the Microsoft 365 Defender portal at&nbsp;<a href=\"https:\/\/security.microsoft.com\/\">https:\/\/security.microsoft.com<\/a>, do the following steps:<ol><li>Go to&nbsp;<strong>Permissions<\/strong>&nbsp;&gt;&nbsp;<strong>Email &amp; collaboration roles<\/strong>&nbsp;&gt;&nbsp;<strong>Roles<\/strong>. Or, to go directly to the&nbsp;<strong>Permissions<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/security.microsoft.com\/emailandcollabpermissions\">https:\/\/security.microsoft.com\/emailandcollabpermissions<\/a>.<\/li><li>On the&nbsp;<strong>Permissions<\/strong>&nbsp;page, select a role group from the list.<\/li><li>Look for the user account in the&nbsp;<strong>Members<\/strong>&nbsp;section of the details flyout that opens. If the role group contains the user account, do the following steps:<ol><li>In the&nbsp;<strong>Members<\/strong>&nbsp;section, select&nbsp;<strong>Edit<\/strong>.<\/li><li>On the&nbsp;<strong>Choose members<\/strong>&nbsp;tab of the flyout that opens, select&nbsp;<strong>Edit<\/strong>.<\/li><li>In the&nbsp;<strong>Choose members<\/strong>&nbsp;flyout that opens, select&nbsp;<strong>Remove<\/strong>.<\/li><li>In the&nbsp;<strong>Members<\/strong>&nbsp;section that appears, select the user account by selecting the check box next to the name, select&nbsp;<strong>Remove<\/strong>, and then select&nbsp;<strong>Done<\/strong>.<\/li><li>In the&nbsp;<strong>Editing Choose members<\/strong>&nbsp;flyout, select&nbsp;<strong>Save<\/strong>.<\/li><li>In the role group details flyout, select&nbsp;<strong>Close<\/strong>.<\/li><\/ol><\/li><li>Repeat the previous steps for each role group in the list.<\/li><\/ol><\/li><li>In the Exchange admin center at&nbsp;<a href=\"https:\/\/admin.exchange.microsoft.com\/\">https:\/\/admin.exchange.microsoft.com\/<\/a>, do the following steps:<ol><li>Go to&nbsp;<strong>Roles<\/strong>&nbsp;&gt;&nbsp;<strong>Admin roles<\/strong>. Or to go directly to the&nbsp;<strong>Admin roles<\/strong>&nbsp;page, use&nbsp;<a href=\"https:\/\/admin.exchange.microsoft.com\/#\/adminRoles\">https:\/\/admin.exchange.microsoft.com\/#\/adminRoles<\/a>.<\/li><li>On the&nbsp;<strong>Admin roles<\/strong>&nbsp;page, select a role group from the list by clicking anywhere in the row other than the round check box that appears next to the name.<\/li><li>In the details flyout that opens, select the&nbsp;<strong>Assigned<\/strong>&nbsp;tab, and then look for the user account. If the role group contains the user account, do the following steps:<ol><li>Select the user account.<\/li><li>Select the&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-delete-icon.png?view=o365-worldwide\">&nbsp;<strong>Delete<\/strong>&nbsp;action that appears, select&nbsp;<strong>Yes, remove<\/strong>&nbsp;in the warning dialog, and then select&nbsp;<img decoding=\"async\" src=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/media\/m365-cc-sc-close-icon.png?view=o365-worldwide\">&nbsp;<strong>Close<\/strong>&nbsp;at the top of the flyout.<\/li><\/ol><\/li><li>Repeat the previous steps for each role group in the list.<\/li><\/ol><\/li><\/ol>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide#step-7-optional-additional-precautionary-steps\"><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"step-7-optional-additional-precautionary-steps\">Step 7 Optional: Additional precautionary steps<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Verify the contents of the\u00a0<strong>Sent items<\/strong>\u00a0folder of the account in Outlook or Outlook on the web.You might need to inform people in your contacts list that your account was compromised. For example, the attacker might have sent messages asking your contacts for money, or the attacker might have sent a virus to hijack their computers.<\/li><li>The accounts for any other services that use this account as an alternative email account might have also been compromised. After you do the steps in this article for the account in this Microsoft 365 organization, do these steps for your other accounts.<\/li><li>Verify the contact information (for example, telephone numbers and addresses) of the account.<\/li><\/ol>\n\n\n\n<p>Ref: <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/security\/office-365-security\/responding-to-a-compromised-email-account?view=o365-worldwide\">Responding to a Compromised Email Account | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Even after the user regains access to their account, the attacker might have left back-door entries that allow the attacker to resume control of the account. Do&nbsp;all&nbsp;of the following steps to regain control of the account. Go through the steps as soon as you suspect a problem and as quickly as possible to make sure <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4834\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1249,10,18],"tags":[1649,1648],"class_list":["post-4834","post","type-post","status-publish","format-standard","hentry","category-azure-microsoft","category-microsoft","category-microsoft-office","tag-restore-a-compromised-microsoft-365-mailbox","tag-restore-email-function-to-a-compromised-microsoft-365-mailbox"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4834","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4834"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4834\/revisions"}],"predecessor-version":[{"id":4835,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4834\/revisions\/4835"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4834"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4834"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4834"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}