Forum Discussion
Fastest workflow to block a phished user?
If a user gets phished, or his credentials get leaked - what's the first thing you do, before you start investigating the issue? A few questions concerning this issue:
- Is it enough to block the user in the Office 365 Admin Center?
- Should I reset his password, or is blocking the user enough?
- If the user is blocked, and he still has an active Exchange Online session, can the blocked user still send e-mails?
3 Replies
Hello Kiril
1)If a user gets phished, or his credentials get leaked - what's the first thing you do, before you start investigating the issue?
Please see the link below
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide
2) If the user is blocked, and he still has an active Exchange Online session, can the blocked user still send e-mails?
The user will not be able send outbound emails until they are unblocked. The user is added to the Restricted users page in the Microsoft 365 Defender portal. When they try to send email, the message is returned in a non-delivery report (also known as an NDR or bounce message) with the error code 5.1.8 and the following text: "Your message couldn't be delivered because you weren't recognized as a valid sender. The most common reason for this is that your email address is suspected of sending spam and it's no longer allowed to send email. Contact your email admin for assistance. Remote Server returned '550 5.1.8 Access denied, bad outbound sender."EmekaNgene, thank you.
I think you misunderstood question 2): the question was about blocking a user in Microsoft admin center (https://admin.microsoft.com/ -> Active users -> select user -> Block sign-in) - not about restricted users. If I block a user through Microsoft admin center this user is not added to the restricted users. Thus my question: is blocking the sign-in of a user restricting him from sending e-mail, in case he has an active session.
Follow-up question: is it possible to manually add a user to the restricted users list, if I suspect him to be phished?
- Hello Kiril
1) Is blocking the sign-in of a user restricting him from sending e-mail, in case he has an active session.
It won't restrict him from sending email or stop active sessions, it will stop further sign in into the mailbox. To stop active sessions you will have to sign him out from all active session using the Sign out of all sessions tab under the accounts tab in the users' properties plane in the admin center
Within an hour - or after he leaves the current Microsoft 365 page he was on - he prompted to sign in again. An access token is good for an hour, so the timeline depends on how much time is left on that token, and whether he navigates out of their current webpage.
However If the he is in Outlook on the web, just clicking around in their mailbox, he may not be kicked out immediately. As soon as he select a different tile, such as OneDrive, or refresh their browser, the sign-out is initiated.
2) Follow-up question: is it possible to manually add a user to the restricted users list, if I suspect him to be phished?
It is not possible to add a user manually to restricted users list.
