Secure email account after breach
- Disable account and leave locked out for 60 minutes to sign out existing sessions.
- Change user password. Minimum is 12 characters.
- Check sign in logs in Azure AD. Azure active directory>users>select user>Sign in logs will give you an indication of how long the account has been compromised.
- Check message trace from the compromise date. Notify client of which email addresses have been sent to so that they can notify them of the breach.
- Grant yourself access to the mailbox. Check mailbox rules, forwarding options whilst it is disabled.
- Check if other services such as SharePoint or OneDrive have been compromised. Azure active directory>users>select user>Audit logs.
- Unblock users account, notify them of the password over the phone and recommend MFA if they don’t have it.