How to Recover a Hacked Microsoft 365 Account

Microsoft 365 sits at the center of millions of small businesses — email, files, Teams, and identity all in one place. That makes a hacked Microsoft 365 account especially dangerous, and recovering it takes a few admin-level steps beyond a simple password change. Here is how to take back a compromised Microsoft 365 account and lock it down so the attacker cannot return.

Why Microsoft 365 compromises are serious

Because Microsoft 365 ties together email, OneDrive and SharePoint files, Teams chats, and your company’s identity system, one hijacked account can expose a lot — and an attacker who reaches an admin account can affect your whole tenant. The good news is that Microsoft 365 gives administrators powerful tools to investigate and recover, if you know where to look. Speed still matters: the faster you respond, the less the attacker can take.

Step 1: Reset the password and revoke sessions

As an admin (or have your admin do it), reset the compromised account’s password in the Microsoft 365 admin center. Crucially, also sign the user out of all sessions — resetting the password alone does not immediately kick out an attacker who already has an active session. Revoking sessions forces every device to re-authenticate, locking out the intruder.

Step 2: Block sign-in if needed, then enable MFA

If you need a moment to investigate, you can temporarily block the account’s sign-in to freeze the attacker out entirely while you work. Then make sure multi-factor authentication is enabled for the account. Check the account’s registered authentication methods and remove any MFA method, phone number, or app password the attacker may have added — this is a common way intruders keep a back door even after a password reset.

Step 3: Hunt for malicious inbox rules and forwarding

Just like any hacked email, a compromised Microsoft 365 mailbox often has a hidden forwarding rule or inbox rule set by the attacker to steal copies of messages or hide their tracks. Check the mailbox rules and any mail-forwarding settings, and delete anything suspicious. Also review whether external forwarding was enabled at the account or organization level, since attackers exploit it to exfiltrate mail quietly.

Step 4: Review the audit and sign-in logs

Microsoft 365 records sign-in activity and admin actions. Review the sign-in logs for unfamiliar locations, IP addresses, and successful logins, and check the audit log for what the attacker did — files accessed or downloaded, emails sent, settings changed, or new accounts created. This tells you the scope of the breach and what data may have been touched, which you need for any notification decisions.

Step 5: Check for added users, apps, and permissions

A determined attacker may try to establish persistence. Look for new user accounts you did not create, unexpected admin role assignments, and third-party (OAuth) apps that were granted access to your data — a sneaky way to retain access even after password resets. Revoke any app consents and permissions you do not recognize, and remove any rogue accounts.

Step 6: Assess data exposure and secure other accounts

Based on the audit log, determine what was accessed. If sensitive files or emails were exposed, you may have breach-notification obligations. Because credentials may have been reused, reset passwords on other important accounts too, and make sure your Microsoft 365 backups are intact in case the attacker deleted data.

Step 7: Harden the whole tenant

Recovering one account is a chance to fix the gap that let it happen. Enforce MFA for every user, disable legacy authentication protocols that bypass MFA, set up sign-in risk policies if your plan supports them, limit admin accounts, and review our guide on how to secure Microsoft 365. These steps turn a painful incident into a permanently stronger setup. It is also worth documenting exactly which hardening changes you made and when, so the whole team understands the new baseline and no one quietly reverses a setting that closed the gap.

Signs your Microsoft 365 account was compromised

Catching a compromise early limits the damage, so know the warning signs. Red flags include sign-ins from unfamiliar countries or IP addresses in the logs, inbox rules or forwarding you did not create, emails in your sent folder you never wrote, colleagues or clients reporting strange messages from you, MFA prompts you did not trigger, and unexpected changes to your mailbox or account settings. Inside the admin center, a sudden spike in failed sign-ins, newly registered authentication methods, or freshly consented third-party apps can all signal trouble. If you notice any of these, treat the account as compromised and work through the recovery steps above immediately rather than waiting to be certain — acting on suspicion costs little, while waiting for proof gives the attacker more time.

When to bring in help

If the compromised account had admin rights, multiple accounts were affected, or you are unsure whether the attacker is fully gone, get professional help. Microsoft 365 breaches can hide persistence mechanisms that are easy to miss, and a specialist can confirm the tenant is clean. Veteran Forge Strategies helps small businesses recover from Microsoft 365 compromises and lock down their environment. Confirm current steps in Microsoft’s official documentation, as the admin center evolves.

Key takeaways

  • Reset the password and revoke all sessions — a reset alone won’t kick out an active attacker.
  • Block sign-in to investigate, enable MFA, and remove any attacker-added MFA methods.
  • Hunt for malicious inbox rules and external forwarding — a favorite persistence trick.
  • Review sign-in and audit logs, and check for rogue users, apps, and admin roles.
  • Assess data exposure, reset linked accounts, and enforce MFA tenant-wide afterward.

Frequently asked questions

How do I recover a hacked Microsoft 365 account? Reset the password and revoke all sessions in the admin center, enable MFA, remove attacker-added methods and inbox rules, and review the audit logs for what was accessed.

Why isn’t a password reset enough? An attacker with an active session or an added MFA method or OAuth app can retain access — you must also revoke sessions and remove those persistence mechanisms.

How do I know what the attacker did? Use the Microsoft 365 sign-in and audit logs to see logins, files accessed, emails sent, and settings changed.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *