One of the most common security support requests we receive from our Office 365 customers is for assistance with remediating an account compromise. The most common scenario is that a member of their organization became the victim of a phishing scam and the attacker obtained the password for their account. (Note: If you are not an admin please read How to determine whether your Office 365 account has been compromised instead.) If you believe an account (or multiple accounts) have been compromised because you have seen suspicious behaviors like emails in the 'Sent Items' folder not sent by the account owner, mail forwarding rules added, credential changes, a high number of failed logins, profile changes, or email signature changes, etc. you can follow the guidance provided below.
Verify that the users machine is not compromised
Make sure the user has anti-malware software installed, running and that it's up-to-date. If you do not have malware software installed, you can download a free solution from the Microsoft Protection Center. You can also use the Malicious Software Removal Tool to scan your computer for malware. In cases where these recommendations are not enough, you should follow the Advanced Troubleshooting steps.
Remediate affected account and improve your security posture
There are two options to be able to do this:
Option 1: Run RemediateBreachedAccount.ps1 PowerShell script against each account compromised
The 'RemediateBreachedAccount.ps1' will remediate the attack to the accounts compromised and will remove any standing access to those accounts. It will perform the following actions:
- Reset password (this secures the account and kills active sessions).
- Remove mailbox delegates.
- Disable mail forwarding rules to external domains.
- Remove global mail forwarding property on mailbox.
- Enable Multi-Factor Authentication (MFA) on the user's account.
- Set password complexity on the account to be high.
- Enable mailbox auditing.
- Produce Audit Log for the admin to review.
Option 2: Manually remediate the attack
If you prefer to manually select which remediation actions you would like to take instead of running the script provided in Option 1, you can follow the following steps:
Reset the user(s) Password
By resetting the password, you do not only change the password to secure the account, it also kills any active sessions. You can learn more about how to reset a password here: Admins: Reset a password for one or more users in Office 365.
Remove mailbox delegates
Delegation is when you allow another user or admin to get access to your mails or calendar. Attackers sometimes use this feature to continue having access to your mail. You can learn more about how to configure delegate access here: Configuring delegate access in Outlook Web App
Disable mail forwarding rules to external domains, global mail forwarding property and any bogus forwarding rule created by an attacker
Like delegation, attackers can leverage this functionality to continue having email access to your mail. You should:
- Review and remove any anomalous forwarding rules the attacker created
- Disable mail forwarding rules to external domains
- Remove any global mail forwarding rules created by the attacker
- For additional guidance, especially If the account hat was compromised had admins rights, please take a look at the following article: Exchange and Office 365: Mail Forwarding
Enable Multi-Factor Authentication (MFA) on the user's account.
MFA is a method of authentication that requires the use of more than one verification method. Enabling it will significantly reduce the risk of the account been compromised in the future. To learn more about this feature you can take a look at Exchange and Office 365: Mail Forwarding and What is Azure Multi-Factor Authentication?
Set password complexity to high and expiration date
Configuring accounts to use strong passwords and setting the password expiration policy
is a security best practice and it is particularly important if the user does not have MFA enabled. The easiest way to do this is by running the following PowerShell command:
Set-MsolUser -UserPrincipalName $upn -StrongPasswordRequired $True
Enable mailbox auditing and review the audit log
After enabling mailbox auditing, going forward you will be able to monitor the user activity and it will also allow you to identify anomalous activity in your tenant. To enable mailbox auditing and learn more about how to identify anomalous activity please take a look at Using Office 365 activity data to improve your Cybersecurity stance and capability and Finding Illicit Activity The Old Fashioned Way blog posts.
Provide security awareness and education
Please let us know what you think about this blog post. Do you have suggestions for security related blog posts you'd like to see? Let us know
Note: This article content was updated on 07 AUG 16 with new and updated content provided by members of the Office 365 security team. Two major updates were: (1) Additional option which allows you to use a script to remediate a compromised account instead of performing all the steps manually and (2) Additional steps in the case the account compromised had administrator privileges.