How to deal with a compromised Microsoft 365 account

What takes years to build, but seconds to destroy? A reputation!

Cybersecurity is becoming increasingly more important to every company – regardless of size, equipment, or industry.

Phishing accounts for ~90% of all data breaches worldwide. Every day thousands are tricked into giving up sensitive data such as login details, payment information, or personally identifiable information (PII).

With the right protocols and training in place: the likelihood of a successful attack; the consequences; and potential damage caused can be reduced tremendously.



How do I know I’ve been compromised?


  1. Emails disappearing suspiciously, expected emails not arriving in the Inbox folder
  2. Unexpected/unknown items appear in “Sent Items” or “Deleted” folder
  3. Unknown rules setup in Outlook (potentially deleting or moving emails to RSS feeds, Junk email, or another folder)
  4. Colleague or client asked about an email from your account which you haven’t sent
  5. Emails fail to send with the error “550 5.1.8 Access denied, bad outbound sender.” (see step 6*)



How do I secure a compromised account?

(admin permissions necessary)

  1. Reset the user’s password in the 365 admin centre
    – Ensure the new password is unique, and not used on other sites
    – Ensure the new password is complex and has a variety of characters/symbols
  2. Block sign ins to the account for 1 hour
  3. Remove email forwarding: 365 Admin Centre > Select affected user > Mail > Manage email forwarding
  4. Check for mail rules in Outlook desktop app & Outlook web app
    – Browse to mail rules logged in as the affected account, delete any undesired/unknown ones
    – Open Outlook desktop app, choose File > Info > Manage Rules & Alerts, delete any undesired rules
  5. Enable Multi-factor Authentication. Register a device at
  6. *If you’re unable to send emails, and experiencing “550 5.1.8 Access denied, bad outbound sender.” Non-delivery report
    – Go to the Security centre’s Restricted Users page
    – Select the account and choose “unblock”

Your office 365 account should be fully secure and operational again now. With Multi-Factor authentication enabled, your account cannot be logged into without both your password and access to your authentication phone.


Tips for maximum security


  • …open email attachments you weren’t expecting to receive
  • …log into a website without checking the URL bar: for the correct domain and an SSL/padlock symbol
  • …share your passwords with anyone


  • …ensure your passwords are complex, unique, and not in use across several sites
  • …use Multi-Factor Authentication wherever possible
  • …phone directly (or use original contact methods) to verify changes to payment info
  • …be wary of anything encouraging you to act urgently


  • … cyber training for your employees
  • …pentesting or a phishing awareness campaign
  • …a “cyber essentials” certification for your company