Problem:
You find that your Office 365 tenancy is hacked.
Solution:
(h/t AC)
- We changed the password.
- Checked for the Outbound connector from EAC ( Exchange Admin Center )–> Mail Flow–> Connector.
- Check for the Inbox rules and we found the suspicious inbox rules.
- We disable the MAPI and Active sync protocol before deleting the Inbox rules ( Active sync will take precedence if not disabled and the rules will reflect again after deleting ).
- Then we deleted the Inbox rules .
- We check for the email forwarding if any applied on the impacted email address.
- We check the Message trace so that we can find weather the bulk email was send from the impacted user Mailbox.
- We ran the command Get-inboxrule -Mailbox abc@domain.com to check the inbox rules with out login to the user from OWA ( Outlook Web Application )
- We enable MFA for Admin Login.
- We downloaded the Poweshell from EAC –> Hybrid –> click on second Configure to download the PowerShell for MFA. With this you can check RULEs user by user by this command
- Get-InboxRule -Mailbox abc@domain.com
- If it came empty – no any rules are set
- Sign into the Office 365 Security and Compliance Center and in the list on the left, expand Threat Management, choose Review, and then choose Restricted Users.