Office 365 Tenancy Hacked


You find that your Office 365 tenancy is hacked.


(h/t AC)

  1. We changed the password.
  2. Checked for the Outbound connector from EAC ( Exchange Admin Center )–> Mail Flow–> Connector.
  3. Check for the Inbox rules and we found the suspicious inbox rules.
  4. We disable the MAPI and Active sync protocol before deleting the Inbox rules ( Active sync will take precedence if not disabled and the rules will reflect again after deleting ).
  5. Then we deleted the Inbox rules .
  6. We check for the email forwarding if any applied on the impacted email address.
  7. We check the Message trace so that we can find weather the bulk email was send from the impacted user Mailbox.
  8. We ran the command Get-inboxrule -Mailbox to check the inbox rules with out login to the user from OWA ( Outlook Web Application )
  9. We enable MFA for Admin Login.
  10. We downloaded the Poweshell from EAC –> Hybrid –> click on second Configure to download the PowerShell for MFA. With this you can check RULEs user by user by this command
    1. Get-InboxRule -Mailbox
    2. If it came empty – no any rules are set
  11. Sign into the Office 365 Security and Compliance Center and in the list on the left, expand Threat Management, choose Review, and then choose Restricted Users.