What to Do After a Hacked Microsoft 365 Mailbox

A hacked Microsoft 365 mailbox can turn into invoice fraud, data theft, and more phishing in a matter of minutes. The attacker may read mail, hide replies, change forwarding, or use your account to trick customers and coworkers.

If the mailbox belongs to finance, sales, or an executive, treat it like an active security incident. The safest response is fast containment, careful evidence collection, and a full check for persistence before you call the case closed.

Cut off access first

The first job is to stop the attacker from staying inside the account. If you have Microsoft 365 admin access, act right away.

  1. Block the account sign-in in Microsoft Entra ID.
  2. Revoke all sign-in sessions so existing tokens stop working.
  3. Reset the password to a unique one that is not used anywhere else.
  4. Check MFA methods and remove anything the attacker added.
  5. Stop outbound mail if the account is being used to send spam or phishing.
  6. Escalate to your IT admin, MSP, or incident response team if you do not have full admin visibility.

If the compromise touched a shared mailbox, an executive mailbox, or a mailbox tied to payments, move faster. One bad email can turn into a wire transfer request before the morning ends.

Move first, but don't wipe the trail. The details you preserve now will matter later.

If you can, pause normal mailbox cleanup for a few minutes. Do not delete suspicious messages yet. Do not start rearranging folders until you've saved what you need from the original state.

Preserve evidence before making changes

Once access is contained, capture what happened. A good incident record tells you how the attacker got in, what they touched, and whether they left anything behind.

Start with the mailbox itself. Review Sent Items , Deleted Items , Drafts , and Archive for messages the real user did not send. Look for payment changes, password reset notices, and messages with odd wording or links.

Then move into the logs. In Microsoft 365 and Entra ID, pull sign-in history, audit logs, and mailbox activity as soon as possible. Log windows are limited, so waiting makes the picture blur.

Save these items if you can:

  • Sign-in timestamps and source IP addresses
  • Unusual device names or user agents
  • Forwarding settings and inbox rules
  • Changes to MFA methods or security info
  • New mail flow rules, delegates, or app consents
  • Messages sent to external recipients during the incident

A simple timeline is enough at first. Write down when the user noticed the issue, when access was blocked, and when suspicious activity first appeared. If outside help gets involved, that timeline will save time.

Check for persistence in Exchange Online and Entra ID

A password reset alone does not always fix a hacked Microsoft 365 mailbox. Attackers often leave behind a second path back into the account. That is why persistence checks matter.

In Exchange Online , review these places carefully:

  • Inbox rules in Outlook on the web, especially rules that forward mail, delete alerts, or move messages into hidden folders
  • Mailbox forwarding at the mailbox level
  • Delegates and mailbox permissions , including send-as and send-on-behalf access
  • Mail flow rules in the Exchange admin center
  • Automatic replies that include suspicious links or contact details

In Entra ID , check for changes that keep the attacker connected:

  • New or changed MFA methods
  • Added phone numbers, email addresses, or authenticator devices
  • New enterprise app consents or suspicious OAuth grants
  • Added users, role assignments, or admin privilege changes
  • Legacy authentication still allowed on the account or tenant

If you use Outlook desktop on multiple machines, check those profiles too. Attackers sometimes leave local rules or cached access in place, then reconnect after the password changes.

The main question is simple: can the attacker still read, send, or redirect mail without the user's help? If the answer might be yes, keep digging.

Reset accounts and clean affected devices

After you have checked for persistence, clean up access in a controlled order. Start with identity, then move to devices.

Reset the password again if needed, especially if the first reset happened before you found out how the attacker got in. Re-register MFA with methods you trust. Remove any old phone numbers, backup emails, or app passwords that do not belong.

Next, sign the user out of every session and re-authenticate mail apps on phones, tablets, and desktops. This matters because a token on one device can keep a connection alive long after the browser session closes.

Then check the devices that used the mailbox. Run a full malware scan on Windows and macOS systems, and review mobile devices if they had Outlook, Teams, or OneDrive access. If the user clicked a malicious link or installed something suspicious, assume the device may be part of the problem.

If you have Microsoft Defender for Endpoint or another endpoint tool, use it to review detections around the time of the breach. If not, use the tools you already trust and document the results.

A mailbox compromise often overlaps with cloud storage access too. If the attacker reached OneDrive, SharePoint, or Teams, treat those as part of the same incident, not as separate problems.

Notify the right people and decide when to escalate

Once the account is under control, tell the people who need to know. Keep the audience tight at first, then widen it based on what the attacker did.

Notify these groups if they were affected:

  • Internal users who received suspicious mail
  • Finance or accounts payable staff, if payment instructions were sent
  • Customers or vendors, if their data or email threads were exposed
  • Legal, compliance, or leadership, if personal or regulated data was involved
  • Your cyber insurer, if you carry a policy

If external forwarding was active, assume the attacker may have copied sensitive conversations. If shared files or links were exposed, say so plainly and pull those links.

Use escalation when the incident is larger than a single mailbox. That includes:

  • Multiple accounts showing suspicious sign-ins
  • A global admin or other privileged account being touched
  • Mail rules or OAuth apps that keep reappearing
  • Evidence of data downloads from SharePoint or OneDrive
  • Any sign of invoice fraud, payroll diversion, or customer impersonation
  • Ransomware, mass deletion, or more than one device infected

If your team does not manage Microsoft 365 every day, hand the case to an MSP or incident response team. A fast second set of eyes can catch the thing that gets missed at 4:45 p.m.

Harden Microsoft 365 after the breach

Recovery is the right time to tighten the tenant. Otherwise the same attack path can open again next week.

Start with authentication. Turn on phishing-resistant MFA where possible, then remove older methods you do not need. Disable legacy authentication if any app still depends on it. Review Conditional Access policies so high-risk sign-ins face tighter controls.

Next, improve mailbox and tenant monitoring. Alert on new inbox rules, external forwarding, new OAuth grants, and impossible travel sign-ins. Review mailbox auditing and keep an eye on admins who can change security settings without a second approval step.

After that, reduce what any one account can do. Use least privilege, separate admin accounts from daily email accounts, and review who can create forwarding rules or grant app consent. Small permission cuts matter when an attacker gets one username and password.

Your recovery plan should also cover data restoration. A good backup and disaster recovery planning process helps when the mailbox compromise reaches SharePoint, OneDrive, or other connected services. Email is often the first sign, not the only damage.

Finally, train users on payment changes, suspicious login prompts, and fake Microsoft messages. A mailbox attack often starts with one rushed click. A trained user slows that down.

Conclusion

A hacked Microsoft 365 mailbox is a security event, not a routine help desk ticket. The fastest safe response is to cut off access, preserve evidence, and check for the hidden ways an attacker can stay inside.

Once the account is clean, harden Entra ID and Exchange Online so the same path is harder to reuse. If the incident touches money, customer data, multiple mailboxes, or admin access, bring in your IT admin, MSP, or incident response team right away.

ASK AN IT PRO