If you have landed here because a Microsoft 365 account at your organization has been — or might have been — hijacked, take a breath. This guide walks through exactly what to do, in priority order. The goal of the first hour is simple: stop the attacker's access, preserve the evidence, and find out what they touched before you start changing things.
Business Email Compromise is the second-costliest category of cybercrime in the United States, responsible for more than $3 billion in reported losses in 2025 according to the FBI's Internet Crime Complaint Center, with an average loss exceeding $120,000 per incident. Most of that money moves by wire transfer within hours — which is why speed matters.
Signs your Microsoft 365 account is compromised
Common indicators include: colleagues or clients receiving emails you didn't send, messages disappearing from your Sent or Inbox folders, unexpected mailbox rules that move or delete mail, sign-in alerts from unfamiliar locations, or a vendor reporting that they received new (fraudulent) payment instructions from your address.
The response checklist
1. Block the attacker's access immediately
Disable the affected account or reset its password right away. In the Microsoft 365 admin center, the cleanest move is to temporarily block sign-in for the user while you investigate. Do not simply rely on a password change — see step 3.
2. Revoke active sessions and tokens
This is the step most people miss. Modern phishing kits steal session tokens, not just passwords, so changing the password alone does not lock the attacker out. In Microsoft Entra ID, revoke the user's sessions (this invalidates refresh tokens) so existing stolen tokens stop working. Also delete and recreate any app passwords, which are not revoked automatically.
3. Reset the password — but not over email
Set a new, unique password and require re-registration of MFA. Communicate the new credentials through a channel the attacker cannot read (phone or in person), never through the compromised mailbox.
4. Preserve evidence before you clean up
Before deleting rules or messages, preserve the record. Place the mailbox on Litigation Hold (or an eDiscovery hold) so deleted items are retained, and confirm Unified Audit Logging is enabled — it gives you broad visibility for the investigation. If you remediate first and preserve later, you may destroy the very evidence you need for an insurance claim or law-enforcement report.
5. Hunt for persistence: inbox rules and forwarding
The number-one persistence trick in BEC is a malicious inbox rule — one that auto-forwards mail to an external address, or quietly moves messages containing words like "invoice," "payment," or "wire" to a folder the victim never checks. Review mailbox rules, mailbox forwarding (ForwardingSMTPAddress), and transport rules, and look for RedirectTo, ForwardTo, and ForwardAsAttachmentTo actions.
6. Reconstruct what the attacker accessed
Use the Unified Audit Log together with Entra ID sign-in logs and the MailItemsAccessed mailbox-audit events to build a timeline: when access began, which IPs and sessions were involved, what was read or exported, and when it ended. This determines your real exposure — for example, whether sensitive data was accessed and breach-notification duties are triggered.
7. Check for wider blast radius
Attackers use one mailbox to phish others (internal and external "lateral phishing"). Review OAuth app consents the user granted, check whether the account had admin privileges, and look for the same indicators across other mailboxes that received messages from the compromised account.
8. Report and notify
If funds were sent, contact your bank immediately to attempt a recall, and file a complaint with the FBI's IC3 (ic3.gov) — fast reporting improves the odds of recovery. Notify your cyber-insurance carrier, and assess legal/regulatory notification obligations based on what data was accessed.
Why a forensic timeline is the hard part
Steps 4 through 6 — turning thousands of raw M365 log events into a clear, defensible timeline of attacker activity — is where most teams lose days. This is exactly what BreachLens automates: upload your Microsoft 365 audit export and it reconstructs the sequence of sign-ins, rule changes, mailbox access and exfiltration into a readable report, so you can answer "what happened and how bad is it?" in minutes instead of days.