IT Services
Managed IT (MSP)Cloud ServicesMicrosoft 365IT ConsultingRemote IT SupportVoIP / 3CX
Cybersecurity
Security OverviewEssential EightSaaS SecurityEmail SignatureSecurity AssessmentPlaybooks
Industries
Accounting FirmsLaw FirmsReal EstateMedical CentresPharmaciesConveyancers
About
1300 635 248 Get in Touch
Cybersecurity Playbooks M365 Compromised Account — End Users
End User Playbook Microsoft 365

Microsoft 365 Compromised Account
Playbook for Business Leaders & End Users

Your M365 account has been compromised — or you suspect it has. Time matters. Follow this playbook in sequence. Do not try to investigate before you contain.

Get Help Now — 1300 635 248 Admin Playbook →
If you believe a fraud payment has been made or client data stolen, contact your manager and Melbits immediately. Do not use the compromised account to communicate.
01

Recognise the Signs of Account Compromise

Not every compromise is obvious. Attackers who gain access to your M365 account often stay quiet — monitoring emails, forwarding messages, and waiting for the right moment to commit fraud. Know what to look for.

High Severity

Immediate Red Flags

  • You can't log in with your normal credentials
  • Colleagues report receiving strange emails from you
  • Emails appear in Sent that you didn't write
  • Password reset emails you didn't request
  • Microsoft alerts you about sign-ins from unknown locations
Investigate Further

Subtle Warning Signs

  • Emails you sent appear as read before recipients open them
  • Inbox rules you didn't create (especially forwarding rules)
  • Contacts report receiving unusual link or attachment requests from you
  • Microsoft Authenticator approval requests you didn't initiate
  • OneDrive files moved, deleted, or shared without your action
02

Immediate Actions — Do These First

Speed matters. Every minute an attacker has access, they may be forwarding sensitive emails, accessing client data, or preparing a fraud attempt. Follow these steps in order.

1

Contact Your IT Support Immediately

Call Melbits on 1300 635 248. Do this before anything else. Your IT team needs to know immediately so they can begin containment. Do not wait to gather more information first.

Use your mobile phone — not the compromised computer or account — to make this call.
2

Stop Using the Account

Do not log in to your M365 account, send emails, or access SharePoint or OneDrive until IT has confirmed it is safe. Using the account can alert the attacker and may destroy forensic evidence.

3

Do Not Change Your Password Yet

This sounds counterintuitive, but changing your password before IT has investigated may allow the attacker to lock you out or destroy logs. Wait for IT to guide this step.

Exception: If IT is unavailable and you have clear evidence of active fraud, change your password immediately and call IT.
4

Alert Your Manager

Inform your manager or a senior colleague by phone or in person. If the attacker has access to your email, they may be impersonating you to others in the organisation right now.

5

Disconnect From the Network (if instructed)

Your IT support may ask you to disconnect your computer from WiFi or unplug the network cable. Do so immediately if asked. This prevents further data exfiltration from the device.

03

Who to Contact and When

First

IT Support — Melbits

1300 635 248 — Call immediately. Available during business hours with after-hours emergency support for clients on managed plans.

Second

Your Direct Manager or Business Owner

Notify immediately, especially if you have client-facing responsibilities or handle financial transactions. Do this by phone or in person.

If fraud occurred

Your Bank

If a fraudulent payment has been made or banking credentials may have been exposed, call your bank immediately. Time is critical for payment recall.

If data was exposed

OAIC (Privacy Act Notification)

If personal information was accessed or disclosed, your organisation may have a mandatory data breach notification obligation under the Privacy Act. IT and management will guide this process.

04

What NOT to Do

These mistakes are common and can significantly worsen the outcome of an incident.

Don't Delete Suspicious Emails

Emails sent by the attacker from your account are forensic evidence. Deleting them may prevent full investigation and could complicate insurance claims.

Don't Reply to the Attacker

If you suspect someone is impersonating you in an email chain, do not reply via email — the attacker may still have access. Contact people by phone.

Don't Try to Investigate Yourself

Accessing sign-in logs, inbox rules, or mailbox settings while the attacker may still be active can tip them off and cause them to escalate or cover tracks.

Don't Approve Unexpected MFA Requests

If you receive an MFA push notification you didn't trigger, deny it immediately and report it to IT. This means someone has your password and is trying to log in right now.

Don't Use the Compromised Device to Research the Incident

If your device may be infected with malware (keylogger, RAT), using it to Google what to do or to read this playbook could expose additional information. Use a different device.

Don't Publicly Post About It

Announcing an incident on social media or in public communications before it's contained can damage client trust and may have legal implications. Follow your IT and management team's guidance.

05

Business Communication During an Incident

If your email account is compromised, how do you communicate? Use these alternatives while IT investigates.

📞

Phone First

For urgent communications with colleagues, clients, or suppliers — call them. Verbal confirmation prevents the attacker from intercepting or manipulating email-based responses.

📱

SMS or Personal Email

If you need a written record, use SMS or a personal email account from a separate, uncompromised device to contact people who need to know.

👥

In-Person for Sensitive Matters

For anything involving financial transactions, client data, or significant decisions — communicate in person until your account is confirmed secure.

For any financial instruction during an incident: Never process or approve a payment based solely on an email, even if it appears to come from a manager or known contact. Call to verbally confirm before acting.
06

After the Incident — Recovery Steps

Once IT has contained the incident and confirmed your account is secure, there are steps you need to take to protect yourself and the business going forward.

Change All Passwords

Change passwords for every service you access — not just M365. If you reused your M365 password elsewhere, all those accounts are at risk.

Review What Was Accessed

Work with IT to understand which emails, files, and systems the attacker accessed. This determines notification obligations and further remediation steps.

Check for Ongoing Forwarding Rules

Attackers commonly create inbox rules to forward all future emails silently. IT will check for this, but ask for confirmation once the account is restored.

Complete a Post-Incident Debrief

Work with your manager and IT to document what happened, how the account was compromised, and what controls are being put in place to prevent recurrence.

Consider Notifying Affected Parties

If the attacker accessed emails with client data, supplier bank details, or personal information — notification may be legally required under the Privacy Act. Seek guidance.

Need Help With This Incident?

Melbits provides incident response support for Melbourne businesses. Call us on 1300 635 248 or book a consultation.

Book a Consultation View Admin Playbook