Quickly React To M365 User Compromise

At some point you are going to deal with a M365 User Compromise. It could be a password leak of some kind. It could be through a phishing attempt or as simple as password sharing. Either way, it can be dealt with easily and quickly in 3 steps. I will show you how.

M365 User Compromise Account – Reset the password

Go to admin.microsoft.com and under Active Users search for the user of the compromised account. Click on the Username and then find:

This will help guard against any new logins with the account.

Revoke Sign In For Compromised Account

After a password reset, the next step is to sign the compromised account out of everything. While still in the user flyout, sign the user out from all sessions:

Similarly, you can do this in PowerShell. I wrote a great article about it here.

Block Unapproved Email Apps and Protocols

As a result, going forward, make sure you are not using any App or protocol you do not need. Click the Mail Tab if the User Fly out and click the Manage Email Apps Link:

From here, uncheck any email app or protocol that could be used on a compromised account. It is a good idea to do this organization wide and not just for the user:

Voila. Not only has your user compromise been dealt with quickly, you have security hardened your M365 tenant. It gives bad actors a smaller attack surface and this could only be good for your organization!

Thankfully, I have written several articles on M365 Security. I encourage you to review them. They can help you quickly react to security compromises quickly when they happen or harden your system preventing it from happening in the first place. If you use these 3 steps to deal with an M365 User Compromise you will have it fixed in no time!!

Happy IT’ing

Dan