News We Recently Launched SysTools Email Decryptor , SysTools Data Recovery Toolkit , SysTools Video Converter , SysTools Email Address Checker , SysTools MBOX Splitter , SysTools MBOX Merge , SysTools CSV Split & Merge , SysTools Excel Split & Merge | News SysTools Commitment to Child Safety: Upholding the Fight Against CSAM |
News We Recently Launched SysTools Email Decryptor , SysTools Data Recovery Toolkit , SysTools Video Converter , SysTools Email Address Checker , SysTools MBOX Splitter , SysTools MBOX Merge , SysTools CSV Split & Merge , SysTools Excel Split & Merge | News SysTools Commitment to Child Safety: Upholding the Fight Against CSAM |
Home » Updates » Office 365 » What to Do When Office 365 Account Compromised?

What to Do When Office 365 Account Compromised?

  author
Written By Mohit Kumar Jha
Anuraag Singh
Approved By Anuraag Singh
Modified On July 29th, 2025
Reading Time 7 Minutes Reading

Most users choose Office 365 for its advanced features. These functions help you protect your account from any threats and hackers. So, if you think that your Office 365 account is compromised and don’t know what to do? In this guide, I am going to advise you on important points about how to handle the situation and share a strategy to recover your data from your compromised account.

Table of Contents

For business productivity and communication, Microsoft 365 has become a popular platform for many organizations. Offering several tools like Outlook, Teams, SharePoint, OneDrive, and many more. However, with the increasing demand for Office 365, there is a growing concern about account compromises.

Nowadays, cybercriminals have become smarter than before and target vulnerable accounts to steal sensitive data. So, when an unauthorized third party gained access to the user’s account credentials. Your Office 365 account becomes compromised, and there is a huge risk of data breach and any other malicious attack. If you are also experiencing this same situation. So, I am going to help you with how to deal with it.

Signs Your Office 365 Account is Compromised

To identify whether your account is compromised or not, there are several indicators that help you.

  • Multiple failed login attempts if you are attempting from unusual locations or devices.
    The account’s sign-in activities indicate that someone logged in from a different country, city, or network.
  • You are seeing logins from devices you don’t own or use. It is a big sign that Office 365 has been compromised.
  • Missing some of your emails? Some attackers delete your emails to cover their tracks.
  • Suspicious inbox rules that automatically forward your emails to external email addresses.
  • You have found sent items, emails, or signatures that you don’t recognize.
  • You receive instructions to give permissions for MFA requests or password resets.
  • Receiving security alerts from Microsoft in emails or dashboards.

There are many other signs that your account has been hacked. If you have found that, take immediate action to counterattack. If you delay it, you will have to face a lot of trouble.

Immediate Response to Office 365 Account Compromised

When someone accesses your Office 365 account, the first step is to disable the compromised account. To do this

  1. Install the Microsoft Graph PowerShell module by using this command in PowerShell: Install-Module -Name Microsoft.Graph -Scope CurrentUser
  2. Connect to Microsoft Graph with this command: Connect-MgGraph -Scopes “User.ReadWrite.All”
    Store the details of the user account in the $user variable. Follow this command: $user = Get-MgUser -Search UserPrincipalName:” -ConsistencyLevel Eventual (replace with user’s principal name)
  3. To disable the user account, run this command: Update-MgUser -UserId $user.Id -AccountEnabled $false

If you are not able to disable the user account, change the password of your account.

Revoke User Access from Compromised Account

To prevent the attacker from accessing the sensitive data, I am going to use the following commands.

  1. Run the new PowerShell as an administrator and type: Set-ExecutionPolicy RemoteSigned
  2. Install the necessary modules for the Microsoft Graph PowerShell: Install-Module Microsoft.Graph.Authentication
    Install-Module Microsoft.Graph.Users.Actions
  3. Using this command, connect to Microsoft Graph: Connect-MgGraph -Scopes User.RevokeSessions.All
  4. Run this command: Revoke-MgUserSignInSession -UserId (use the user’s principal name in place of )

Remove the Unauthorized⁣ User Access

  1. After that, remove any suspicious devices from the Office 365 account. Make sure that you also get rid of any unrecognized MFA methods.
  2. Along with this, also revoke any applications that are connected with the account.
  3. Review the permissions and roles that are assigned to the users.
  4. If you find any suspicious mail forwarding, connect to Exchange Online PowerShell.
  5. Use this command to check if the mailbox is forwarding or not: Get-Mailbox -Identity \<Identity\> | Format-List Forwarding*Address,DeliverTo*
  6. Also, check the Forwarding Inbox rules and change them with the name and email address of the mailbox: Get-InboxRule -Mailbox -IncludeHidden | Format-List Name,Enabled,RedirectTo,Forward*,Identity

Once you follow these steps, it is time to investigate your compromised Office 365 account.

Investigate Why the Office 365 Account Was Compromised

To find the real suspect of your Office 365 account being compromised, a thorough investigation is needed. Here are the steps to help you do the procedure.

  1. Check the sign-in activity of your account: Go to the Microsoft 365 Security & Compliance Center, then the Sign-in logs option.
    Search for any unusual IP addresses, locations, or devices.
    Focus on both failed and successful login attempts from unfamiliar sources.
  2. Review the Audit Logs: Here, you use Microsoft Purview Audit to track user activities.
    If you get any suspicious behavior like mailbox rule changes, file access or deletions, external sharing, or permission changes.
  3. Analyze the Mail Flow and Inbox Rules: In your Outlook Web or PowerShell, check the settings of forwarding rules to external addresses. Or there are hidden rules moving emails to obscure folders.
    Also, check emails from the sent items, drafts, and deleted folders that you don’t recognize.
  4. Go to the Multi-Factor Authentication status to ensure it is enabled or correctly enabled.
  5. If Microsoft Defender for Office 365 is available. Then, run the Automated Investigation and Response tool and detect any threats.
  6. Lastly, make sure that no unauthorized users have been granted administrative rights. If yes, then remove the suspicious accounts from privileged groups.

Recover Office 365 Account After Investigation

These are the actions and the investigations you have to take when your account is compromised. Now, one question arises: how can you recover from the attack? Take these tips to recover your account and data.

  1. First, reset your Office password: Create a strong and unique password and change it for all the accounts.
  2. Reconfigure your MFA: Re-enroll MFA so that the attacker cannot access your account again.
  3. Update security policies: Keep the security of all user accounts strong. Also, inform other users and instruct them to be cautious.
  4. Keep a proper record of the incident and actions that you take. This will help you in future reference.

These points are used to recover your Office 365 account. Now, to recover and secure your Office 365 data. Use the following option.

How to Secure Office 365 Data When the Account is Compromised?

The main reason for hacking the Office 365 account is to access the sensitive data. To avoid this issue, you have to take responsibility for this. On the internet, several advanced tools can help you. SysTools Office 365 Backup Software is one of the popular tools that you can easily use to save your Microsoft 365 account. By using this, you can save your data from any issue, including when your Office 365 account is compromised. It is also a better strategy for recovering your data. If your account is locked, you can at least have your data secured.

Download Now Purchase Now

Final Words

In this article, I have explained what to do when your Office 365 account is compromised. I discuss the signs of when the account is compromised and what immediate actions you should take. By following the investigations, you can find the real reason for the problem. Other than that, I also explained the recovery strategy to make your account strong and protect your data.

  author

By Mohit Kumar Jha

Mohit is a Microsoft Certified expert for all things Microsoft. He brings a unique perspective gained from nearly a decade of active participation in various IT forums, blogs, and social media. Known in admin circles as the go-to guru for solving user queries in the domain of cloud migration, data backup, and digital forensics. The secret to his core expertise lies in solving problems practically. Through this hands-on experience, he has acquired knowledge in diverse domains like Microsoft 365 Cloud, On-Premise Exchange Server, AD, and Entra ID. He regularly writes, edits, and shares his insights in plain, simple words for troubleshooting everything from common issues to major outages.