Skip to main content

Response to Compromised or Breach Email (in progress)

If a user has their email and/or password compromised, please follow the instructions below as quickly as possible to secure the account.

  1.    Reset User Password in the Office 365 admin page, Admin Portal Users>Active Usersimage.png
  2.    Sign user out of every Office 365 session
    image-1659045944258.png    

3.    Setup MFA
4.    Reset MFA if it was already setup
image-1659045948531.png    
5.    Look at sign in logs and take note of irrugular locations.
    

image-1659045952016.png


    
6.    Look in Outlook or OWA for any odd rules redirecting emails or deleting emails.
7.    Look for any Registered devices in Azure that aren't good devices
8.    If user is a Global Admin go to next section

 

Was the User a Global Admin?
1.    Verify if the user needs to be a Global Admin
2.    Remove all unnecessary Global Admins
3.    Look for any outbound connectors in Exchange that don't belong
4.    Look for any rules in Exchange that don't belong
5.    Verify all users have MFA enabled

Back to top