Microsoft 365 Compromised Account Playbook outlines a structured approach to handle security incidents involving compromised user accounts. In today’s digital landscape, securing Microsoft 365 accounts is critical to protecting sensitive data and maintaining operational integrity. This playbook provides step-by-step guidance on detecting suspicious activities, containing potential threats, remediating compromised accounts, and implementing preventative measures to reduce future risks. Whether you are managing a small business or a large organization, this guide will help ensure swift and effective action when facing account compromises.
Note: Target audience – Administrators and advance users. Check this playbook if you are a business leader or an end user
1. Detection and Initial Assessment
Goal: Quickly determine if the account is compromised and assess the impact.
1.1 Signs of Compromise:
- Unauthorized login alerts from unfamiliar locations or devices.
- Suspicious activities such as emails being sent without user knowledge, password changes, or access to sensitive files.
- Microsoft 365 Security Alerts (e.g., from Microsoft Defender for Office 365).
- User reports phishing, unusual emails, or blocked access.
1.2 Verification:
- Review recent sign-in activity in the Azure Active Directory (Azure AD) or M365 Security & Compliance Center.
- Check the Sign-in logs for unusual locations, devices, or IP addresses.
- Verify whether MFA (Multi-Factor Authentication) was bypassed or not enabled.
2. Immediate Containment
Goal: Stop any ongoing malicious activity.
2.1 Disable Access:
- Suspend the user account immediately (in the Azure AD or M365 Admin Center) to prevent further unauthorized access.
- If the user is critical and account suspension isn’t feasible, reset the password immediately.
2.2 Revoke Sessions:
- Revoke user sessions from all devices to log out any potentially malicious actors:
- In Azure AD: Go to the User Account -> Sign-ins -> Revoke Sessions.
2.3 Disable Access to Email:
- Stop email forwarding if configured:
- Check and disable any auto-forwarding rules or inbox rules forwarding emails to unfamiliar addresses.
3. Remediation
Goal: Secure the account and prevent future compromises.
3.1 Reset Password:
- Use strong password requirements to reset the user’s password. Ensure the new password is not used elsewhere.
- Force a global sign-out after resetting the password to invalidate any active sessions.
3.2 Enable Multi-Factor Authentication (MFA):
- If MFA was not already enabled, configure MFA for the account. Ensure that MFA policies are applied to all users. NOTE: This is no more optional. MFA is a must.
3.3 Scan for Malware/Phishing:
- Run an anti-malware scan on all devices that accessed the compromised account.
- Review email accounts for suspicious emails, phishing, or malware activity.
3.4 Review Inbox Rules:
- Check the user’s mailbox for any malicious inbox rules (e.g., rules that forward or delete incoming emails (Get-InboxRule command using PowerShell online).
4. Investigation
Goal: Understand how the breach occurred and whether any sensitive data was accessed.
4.1 Check Audit Logs:
- Review the Unified Audit Logs in Microsoft 365 to track any sensitive or suspicious activities:
- File access in OneDrive, SharePoint, or Teams.
- Email send/receive history.
- Admin privilege usage or changes.
4.2 Determine the Root Cause:
- Review phishing emails, credentials exposed through breaches, or weak passwords as possible vectors.
4.3 Assess Data Exposure:
- Investigate if any sensitive data (emails, documents, or shared files) was accessed or exfiltrated.
5. Communication and Notification
Goal: Inform relevant stakeholders and comply with reporting requirements.
5.1 Internal Communication:
- Notify your IT security team and management.
- Instruct affected users on steps they need to take (e.g., verifying their devices and watching for further signs of compromise).
5.2 External Communication:
- If sensitive data or customer information is involved, assess the need for external notification (e.g., to affected clients or regulatory bodies).
- Report the compromise to Microsoft Support if necessary.
6. Post-Incident Actions
Goal: Strengthen security and prevent future incidents.
6.1 Security Hardening:
- Enable MFA across all accounts if not already done.
- Implement Conditional Access Policies to reduce access from risky locations.
6.2 Training & Awareness:
- Conduct security awareness training to ensure users recognize phishing attacks and maintain strong passwords.
6.3 Monitor for Recurrence:
- Set up ongoing security monitoring using tools like Microsoft Defender for Office 365, Azure AD Identity Protection, or Microsoft Cloud App Security to track any suspicious activities.
7. Documentation
Goal: Record the incident details for compliance and future reference.
Maintain a full incident report including timelines, affected accounts, actions taken, and recovery steps.
Use the report to review and improve incident response plans and overall security posture.