John Gruber
Nov 14, 2022Brass Contributor
Anything I'm forgetting?
I typically follow the following 14 steps when an account is compromised. Is there anything else I am forgetting?
- Reset account password
- Sign out of all sessions
- Remove the account from admin roles
- Re-enroll MFA
- Check for enterprise apps authorized for the user
- Scan devices for malware
- Review mailbox rules
- Review mail forwarding
- Move any emails that were deleted/moved to a new folder
- Review audit logs for any other unusual activity
- Unblock the account to allow sending emails
- Enable MFA
- Review email apps and change availability
- Review sign-in logs and check for additional security measures you can take