• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 75
  • Last Modified:

Microsoft 365 Business Email Accounts Hacked

Hi all,

One of my clients is using Microsoft 365 business for their emails. Number of email accounts = 26. One of the accounts got hacked I think and was sending emails out to all their contacts. The email looked very ligit

Subject: New Message from XXXX

Contents: You have a pending incoming docs shared with you via OneDrive  View Doc.

I have obviously reset her password and send an email to all the contacts letting them know not to open but it could have gotten through to a couple of people.

What would be the appropriate steps in order to get this resolved in an orderly fashion.
Can I stop an
2 Solutions
Hardik DesaiIT Architect and TrainerCommented:
Somone might be using local mail server with the same domain to send the messages. Could you please post message headers of the message received by the contacts. Also check if the messages are present on the sender sent items. Message tracking logs can also assist you in identifying whether messages were originated from your clients mailbox.
Chopper2302Author Commented:
Thanks for the reply. Sorry for security reasons I'm not going to post the header - what do you need from this so I can check out?

There wasn't anything in the sent items.

Will take a look at the tracking logs..
Hardik DesaiIT Architect and TrainerCommented:
use mx-toolbox.com and parse the headers to check if the message did originate from your clients Office 365 tenant.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.


I suggest you implement MFA (multi factor authentication). Read up here.

That way users from outside your domain will have to authenticate using a smartphone or any other device you set up on top of the username/password.

Note that MFA is not currently included in office 365 small business plans. It is supported in office 365 midsize business, enterprise plans, academic plans, nonprofit plans, and standalone office 365 plans, including exchange online and sharepoint online. For your reference.

Chopper2302Author Commented:
OK thank you
AmitIT ArchitectCommented:
In this situation, I would disable the account and wait for sometime. Then enable again. Also, check if user configured same account in any other device, like phone. That can also trigger old mails to sync.
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
A level of multi-factor authentication is included in all versions of Office 365.  I would recommend enabling that or Conditional Access.

In addition, you can subscribe to a trial of Azure AD P2 or Enterprise Mobility + Security Suite to enable the advanced Azure AD sign in logs (via manage.windowsazure.com), which will show you where the logons are originating (if you're not using federated identity).
Chopper2302Author Commented:
Thank you. I have enabled MFA for this user that was hit. I have reset the passwords for all accounts and changed the password policy to change every 60 days.

Thanks all for your help.
Chopper2302Author Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now