Home

How to stop mail sending IMMEDIATELY if account compromised

Brent Ellis
Valued Contributor

We have a compromised credential, sending out bad emails.  We have reset the password, run a "Revoke-AzureADUserAllRefreshToken" on the user's account.

 

If we have reason to believe a malicious user is logged in via OWA, what else can be done to shut things down IMMEDIATELY.

3 Replies

Hi Brent,

 

The fastest way is to create a Transport Rule to avoid that, because the token's could take some time to take effect.

You might want to take a look at this PowerShell-script:

https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/RemediateBreachedAccount.ps1

 

This script will allow you to execute a recommended set of steps to fully re-secure and remediate a known breached account in Office 365.
It peforms the following actions:
Reset password (which kills the session).
Remove mailbox delegates.
Remove mailforwarding rules to external domains.
Remove global mailforwarding property on mailbox.
Enable MFA on the user's account.
Set password complexity on the account to be high.
Enable mailbox auditing.
Produce Audit Log for the admin to review.

 

Changing password doesnt invalidate access tokens though, I think this is still not rolled in to the service. So as Nuno suggested, some additional actions might be required to immediatelly block access. I've seen also people disabling mail protocols (Set-CasMailbox) or changing the mailbox quota to something below the limit, etc.