Email compromise is one of the most common cybersecurity incidents affecting businesses today. If your Microsoft 365 account has been hacked, attackers can send fraudulent emails, steal sensitive data and damage your companyโs reputation.
The good news? It can be fixed โ and prevented.
This guide walks you through how to respond properly and secure your environment.
Signs Your Microsoft 365 Account Has Been Compromised
- Emails sent without your knowledge
- Password suddenly stops working
- Login alerts from unfamiliar countries
- Inbox rules forwarding emails secretly
- Customers reporting suspicious messages
- Unusual MFA prompts
If you notice even one of these, act immediately.
Step 1: Reset the Password (Immediately)
Go to:
๐ https://admin.microsoft.com
- Change the user password
- Select Sign out of all sessions
- Force password reset at next login
Use a strong password:
- Minimum 12โ16 characters
- Mix of upper/lowercase, numbers, symbols
Step 2: Enable Multi-Factor Authentication (MFA)
If MFA was not enabled, this is likely why the account was compromised.
In Microsoft Entra Admin Center:
- Users โ Per-user MFA
- Enable for all users
Use:
- Microsoft Authenticator (recommended)
- Not just SMS
MFA blocks over 99% of account takeover attempts.
Step 3: Check for Malicious Inbox Rules
Hackers often create hidden rules to hide their activity.
In Outlook Web:
- Settings โ Mail โ Rules
Delete any: - Auto-forward rules
- Delete/mark-as-read rules
- Suspicious redirects
Also check:
- Forwarding settings
- POP/IMAP settings
Step 4: Review Sign-In Logs
In Microsoft Entra:
- Monitoring โ Sign-in logs
Look for:
- Foreign countries
- Suspicious IP addresses
- Legacy authentication
Block suspicious locations using:
Conditional Access Policies
Step 5: Scan All Devices
If the attacker stole credentials via malware, it will happen again.
Scan:
- Laptops
- Mobile phones
- Tablets
Update:
- Antivirus
- Windows patches
- Browser extensions
Step 6: Check Email Authentication Records (Critical)
Many businesses skip this step.
Ensure your DNS has:
SPF
v=spf1 include:spf.protection.outlook.com -all
DKIM
Enable in Microsoft 365 Defender.
DMARC
v=DMARC1; p=quarantine; rua=mailto:admin@yourdomain.com
Without SPF/DKIM/DMARC, attackers can spoof your domain.
Step 7: Inform Affected Contacts
If spam or fraud emails were sent:
- Notify clients immediately
- Warn them not to click links
- Advise them to ignore fraudulent invoices
Transparency protects your reputation.
Step 8: Implement Long-Term Protection
Hereโs what every business should have:
| Security Control | Purpose |
|---|---|
| MFA for all users | Prevents account takeover |
| Conditional Access | Blocks risky logins |
| Anti-phishing policies | Stops malicious emails |
| User training | Reduces phishing success |
| Backup solution | Protects email data |
| Regular audits | Detects hidden threats |
Why Microsoft 365 Accounts Get Compromised
- Weak passwords
- No MFA
- Phishing emails
- Fake Microsoft login pages
- Shared passwords across sites
- Legacy authentication enabled
Most breaches are preventable.
Final Thoughts
Microsoft 365 is secure โ but only when properly configured.
Email compromise is not just an IT issue; itโs a business risk.
A single hacked account can lead to:
- Financial fraud
- Data loss
- Legal exposure
- Reputation damage
The key is proactive security, not reactive cleanup.
Need Professional Help?
At Etuu Technologies, we help organizations:
Secure Microsoft 365
Implement MFA & Conditional Access
Monitor login activity
Perform security audits
Respond to email breaches
๐ 0716 002 739
๐ www.etuutechnologies.com
