SecureMyEmails Check your domain →
Incident Response

Office 365 Account Hacked? Here's What To Do Immediately

Published May 2, 2026

A compromised Microsoft 365 account is one of the most common ways businesses get hit with email fraud. The moment an attacker controls an inbox, they can send payment diversion emails to your suppliers, intercept invoices, and access sensitive documents -- all while appearing to be you.

Here is exactly what to do if you suspect your account has been compromised.

Act immediately. Every minute an attacker has access to a live inbox they can read correspondence, set up forwarding rules, and contact your clients. Speed matters.

Step 1: Kill Active Sessions Immediately

Log in to the Microsoft 365 admin console using a separate admin account -- not the one you suspect is compromised. Sign the affected user out of all active sessions. This cuts off any live access the attacker may have right now.

Step 2: Reset the Password

Reset the compromised user's password immediately. Use a strong, unique password that has never been used anywhere else. Do not reuse it across other accounts.

Step 3: Check for Forwarding Rules

This is critical and often missed. Open the compromised Outlook account and look for any new forwarding rules. Attackers frequently set these up to silently copy all incoming emails to an external address -- so they keep receiving your emails even after you change the password.

Delete any rules you did not create.

Step 4: Review OAuth App Permissions

Check the list of apps connected to the Microsoft 365 account via OAuth. Look for unfamiliar applications that may have been granted access. Revoke anything you do not recognise. These can be used to maintain persistent access even after a password change.

Step 5: Audit SharePoint and OneDrive Activity

Review the activity logs for SharePoint and OneDrive. Look for unusual file access, downloads, or sharing activity. This tells you what the attacker was looking at and whether any sensitive documents were taken.

Step 6: Warn Anyone Who Received Emails From the Account

Contact people who may have received emails from the compromised account during the breach window. Tell them not to click any links or open attachments from those messages. This is especially important if the attacker sent payment requests or invoice updates.

The Underlying Problem: Weak Email Security Configuration

If your Microsoft 365 account was compromised, it is worth asking why it was vulnerable in the first place. Most successful attacks exploit one or more of these gaps:

  • No multi-factor authentication -- the single most effective protection against account takeover
  • Missing or misconfigured DMARC -- allows attackers to spoof your domain even without accessing your account
  • No SPF or DKIM records -- makes your domain easy to impersonate
  • Weak or reused passwords -- particularly common in businesses without a password manager policy

Preventing It From Happening Again

Once you have contained the incident, the priority is hardening the account so this cannot happen again:

  1. Enable MFA on every account -- non-negotiable
  2. Configure DMARC, SPF and DKIM -- protects your domain even if credentials are stolen
  3. Set up conditional access policies -- restrict logins from unusual locations or devices
  4. Review admin privileges -- most users should not have global admin rights
  5. Enable Microsoft Defender for Office 365 -- real-time protection against phishing and malware delivered via email

If you are not comfortable auditing this yourself, get professional help before the next incident -- not after it.

The Step Most Businesses Miss

In my experience, the forwarding rules (Step 3) are the single most commonly missed item during incident response, and the most damaging. I have seen businesses reset passwords, assume the problem is solved, and then discover weeks later that the attacker has been reading every incoming email the entire time via a silent forwarding rule. The rule sends a copy of each email to a free webmail address. It's invisible in day-to-day use. Outlook doesn't surface it prominently.

The second thing that surprises people is the timeline. The average dwell time, from initial compromise to discovery, is weeks, not hours. In that window, the attacker has had time to read your correspondence, understand your supplier relationships, and wait for the right invoice to redirect. The spam your colleagues reported wasn't the attack. It was the attacker testing the account or selling its use. The actual fraud often comes later, from a different direction.

The strongest single preventative measure is MFA. Not DMARC, not filters, not training. MFA. It doesn't stop every attack, but it stops the most common attack vector (stolen credentials from a phishing link or data breach) in its tracks. If you have one thing to do this week, it's enabling MFA on every Microsoft 365 account in your organisation.

Check Your Email Security Configuration

Enter your domain and get an instant report on your DMARC, SPF, and DKIM status. See exactly where you are exposed before an attacker does.

Run the Free Security Check