Secure email account after breach

  1. Disable account and leave locked out for 60 minutes to sign out existing sessions.
  2. Change user password. Minimum is 12 characters.
  3. Check sign in logs in Azure AD. Azure active directory>users>select user>Sign in logs will give you an indication of how long the account has been compromised.
  4. Check message trace from the compromise date. Notify client of which email addresses have been sent to so that they can notify them of the breach.
  5. Grant yourself access to the mailbox. Check mailbox rules, forwarding options whilst it is disabled.
  6. Check if other services such as SharePoint or OneDrive have been compromised. Azure active directory>users>select user>Audit logs.
  7. Unblock users account, notify them of the password over the phone and recommend MFA if they don’t have it.

Leave a Reply