Forum Discussion

John Gruber's avatar
John Gruber
Brass Contributor
Nov 14, 2022

Anything I'm forgetting?

I typically follow the following 14 steps when an account is compromised. Is there anything else I am forgetting?

  1. Reset account password
  2. Sign out of all sessions
  3. Remove the account from admin roles
  4. Re-enroll MFA
  5. Check for enterprise apps authorized for the user
  6. Scan devices for malware
  7. Review mailbox rules
  8. Review mail forwarding
  9. Move any emails that were deleted/moved to a new folder
  10. Review audit logs for any other unusual activity
  11. Unblock the account to allow sending emails
  12. Enable MFA
  13. Review email apps and change availability
  14. Review sign-in logs and check for additional security measures you can take
No RepliesBe the first to reply