Microsoft 365 Business Email Accounts Hacked

Hi all,

One of my clients is using Microsoft 365 business for their emails. Number of email accounts = 26. One of the accounts got hacked I think and was sending emails out to all their contacts. The email looked very ligit

Subject: New Message from XXXX

Contents: You have a pending incoming docs shared with you via OneDrive  View Doc.

I have obviously reset her password and send an email to all the contacts letting them know not to open but it could have gotten through to a couple of people.

What would be the appropriate steps in order to get this resolved in an orderly fashion.
Can I stop an
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hardik DesaiIT Architect and TrainerCommented:
Somone might be using local mail server with the same domain to send the messages. Could you please post message headers of the message received by the contacts. Also check if the messages are present on the sender sent items. Message tracking logs can also assist you in identifying whether messages were originated from your clients mailbox.
Chopper2302Author Commented:
Thanks for the reply. Sorry for security reasons I'm not going to post the header - what do you need from this so I can check out?

There wasn't anything in the sent items.

Will take a look at the tracking logs..
Hardik DesaiIT Architect and TrainerCommented:
use and parse the headers to check if the message did originate from your clients Office 365 tenant.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


I suggest you implement MFA (multi factor authentication). Read up here.

That way users from outside your domain will have to authenticate using a smartphone or any other device you set up on top of the username/password.

Note that MFA is not currently included in office 365 small business plans. It is supported in office 365 midsize business, enterprise plans, academic plans, nonprofit plans, and standalone office 365 plans, including exchange online and sharepoint online. For your reference.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chopper2302Author Commented:
OK thank you
AmitIT ArchitectCommented:
In this situation, I would disable the account and wait for sometime. Then enable again. Also, check if user configured same account in any other device, like phone. That can also trigger old mails to sync.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
A level of multi-factor authentication is included in all versions of Office 365.  I would recommend enabling that or Conditional Access.

In addition, you can subscribe to a trial of Azure AD P2 or Enterprise Mobility + Security Suite to enable the advanced Azure AD sign in logs (via, which will show you where the logons are originating (if you're not using federated identity).
Chopper2302Author Commented:
Thank you. I have enabled MFA for this user that was hit. I have reset the passwords for all accounts and changed the password policy to change every 60 days.

Thanks all for your help.
Chopper2302Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.