Email remains a prime target for cybercriminals seeking to steal data, disrupt operations, or trick your employees into compromising even more accounts. As a Microsoft Cloud MSSP, PlexHosted is here to help guide you through the steps to recover a compromised mailbox in Microsoft 365. By following Microsoft’s best practices—and our recommendations below—you can quickly regain control of your environment and strengthen your defenses.

Common Symptoms of a Compromised Microsoft 365 Email Account

Identifying suspicious activity early is critical. Some telltale signs that a mailbox may be compromised include:

• Failure Sending Email: The mailbox is blocked from sending email.

• Unexpected Inbox Behavior: Missing, deleted, or automatically forwarded messages.

• New Inbox Rules: Strange rules forwarding emails to external addresses, automatically deleting certain messages, or sending auto-replies.

• Sign-In Activity from Unknown Locations: Alerts about sign-ins from suspicious IP addresses or locations where the user doesn’t work or travel.

• Outbox Sending Spam or Phishing: Your contacts receive emails asking them to click unusual links or send money.

• Denied Access to the Account: The legitimate user can’t log in, potentially indicating password changes by the attacker.

• Multiple Security Alerts: Security tools like Microsoft Defender warn of possible malicious activity from the user’s mailbox.

If you’ve noticed any of these signs, it’s time to act fast.

Step-by-Step Recovery of a Compromised Mailbox

Keep in mind that speed is crucial. The sooner you follow these steps, the less time an attacker has to exploit your environment.

1. Block Sign-In and Reset Password

1. Block Sign-In: Temporarily disable the user’s sign-in to prevent further unauthorized access.

2. Reset the Password: Choose a strong, unique password that hasn’t been used before.

This cuts off the attacker’s immediate access and helps you regain initial control of the mailbox.

2. Remove Suspicious Inbox Rules

Attackers frequently create auto-forwarding or auto-delete rules so they can maintain access or hide traces of their activity.

• Review inbox rules in Outlook.

• Delete any unfamiliar or suspicious rules that you didn’t create.

  
  

3. Clear Sessions and Force Re-Authentication

Make sure the user is completely logged out across all devices and sessions.

• Revoke sessions in the Entra ID portal.

  
  

4. Check and Remove Forwarding Addresses

In some attacks, forwarding addresses are set at the tenant or mailbox level.

• Review external forwarding settings in Exchange admin center.

• Delete any unauthorized external forwarding addresses.

  
  

5. Review Sign-In and Audit Logs

Understanding how, when, and where the breach occurred is critical for preventing future compromises.

• Check audit logs in the Microsoft 365 Defender portal or Entra ID to pinpoint sign-in anomalies.

• Document suspicious IP addresses or sign-in patterns that indicate the attacker’s location or method.

  
  

6. Scan for Malicious Email and Malware

Use Microsoft Defender to identify and quarantine suspicious messages.

• Run a content search or use the Threat Explorer to locate malicious emails still in mailboxes.

• Submit to Microsoft messages that match the attacker’s campaign.

7. Strengthen Multi-Factor Authentication (MFA)

Weak authentication is a common reason accounts get compromised.

• Enable or enforce MFA for all employees, especially high-privilege users and mailbox owners.

• Consider disabling weaker methods like SMS or Voice. Instead, encourage using Authenticator apps or hardware security keys.

8. Communicate with the Affected User (and Possibly Others)

If the breach impacted multiple people—e.g., if the compromised account sent phishing emails—notify them to watch out for suspicious activity.

• Advise the user about new sign-in instructions and best practices.

• If the user accessed email via a personal computer or mobile device, consider performing anti-malware scans on those endpoints, too.

• Remove the user from the Restricted entities page in Defender portal.

• Encourage them to change passwords on other linked accounts in case of credential reuse.

Prevent Future Compromises

Once you’ve secured the mailbox, take time to fortify your organization’s security posture:

• Enable Conditional Access for MFA, risk-based sign-in policies and other recommended policies.

• Implement Continuous Monitoring with automated alerts in Microsoft 365 Defender.

• Educate Employees on phishing awareness and reporting suspicious messages.

• Use Microsoft Defender for Office 365 for real-time scanning of email attachments and links.

How PlexHosted Can Help

At PlexHosted, we specialize in managed security solutions for Microsoft 365. From detecting early signs of compromise to guiding you through full mailbox recovery, our experts can help fortify your environment against evolving threats. Reach out to us today if you’d like personalized assistance with incident response or broader security strategies for your Microsoft 365 setup.