You find that your Office 365 tenancy is hacked.
- We changed the password.
- Checked for the Outbound connector from EAC ( Exchange Admin Center )–> Mail Flow–> Connector.
- Check for the Inbox rules and we found the suspicious inbox rules.
- We disable the MAPI and Active sync protocol before deleting the Inbox rules ( Active sync will take precedence if not disabled and the rules will reflect again after deleting ).
- Then we deleted the Inbox rules .
- We check for the email forwarding if any applied on the impacted email address.
- We check the Message trace so that we can find weather the bulk email was send from the impacted user Mailbox.
- We ran the command Get-inboxrule -Mailbox email@example.com to check the inbox rules with out login to the user from OWA ( Outlook Web Application )
- We enable MFA for Admin Login.
- We downloaded the Poweshell from EAC –> Hybrid –> click on second Configure to download the PowerShell for MFA. With this you can check RULEs user by user by this command
- Get-InboxRule -Mailbox firstname.lastname@example.org
- If it came empty – no any rules are set
- Sign into the Office 365 Security and Compliance Center and in the list on the left, expand Threat Management, choose Review, and then choose Restricted Users.