Sep 19 2017 11:13 AM
We have a compromised credential, sending out bad emails. We have reset the password, run a "Revoke-AzureADUserAllRefreshToken" on the user's account.
If we have reason to believe a malicious user is logged in via OWA, what else can be done to shut things down IMMEDIATELY.
Sep 19 2017 12:24 PM
Hi Brent,
The fastest way is to create a Transport Rule to avoid that, because the token's could take some time to take effect.
Sep 20 2017 05:03 AM
You might want to take a look at this PowerShell-script:
https://github.com/OfficeDev/O365-InvestigationTooling/blob/master/RemediateBreachedAccount.ps1
This script will allow you to execute a recommended set of steps to fully re-secure and remediate a known breached account in Office 365.
It peforms the following actions:
Reset password (which kills the session).
Remove mailbox delegates.
Remove mailforwarding rules to external domains.
Remove global mailforwarding property on mailbox.
Enable MFA on the user's account.
Set password complexity on the account to be high.
Enable mailbox auditing.
Produce Audit Log for the admin to review.
Sep 20 2017 07:19 AM
Changing password doesnt invalidate access tokens though, I think this is still not rolled in to the service. So as Nuno suggested, some additional actions might be required to immediatelly block access. I've seen also people disabling mail protocols (Set-CasMailbox) or changing the mailbox quota to something below the limit, etc.