Breach – CIAOPS

Introduction
When you suspect that a user account in your Microsoft 365 Business Premium tenant has been breached, it’s crucial to act quickly and methodically to contain the threat and protect your organization. A “breach” in this context refers to an account compromise – an unauthorized party has gained access to a user’s credentials or account, potentially giving them entry to the user’s email, files, and other services[2]. Microsoft 365 Business Premium is a subscription for small and medium businesses that combines productivity apps (Office, Teams, etc.) with advanced security features like Microsoft Defender, Azure AD Premium P1 (for Conditional Access), and Intune device management[5]. These tools are designed to help prevent, detect, and respond to security incidents.

This report provides a step-by-step guide on what to check and what actions to take if you suspect a user account breach. It covers how to recognize the signs of compromise, immediate response steps to secure the account, tools available in M365 Business Premium for investigation, and best practices to prevent future incidents. Throughout, we emphasize following Microsoft’s security best practices and using the built-in features of your Business Premium tenant to safeguard your organization.

Recognizing a Compromised Account

Identifying a breach early is critical. There are several warning signs that a Microsoft 365 user account might be compromised:

Unusual Email Activity: The user’s mailbox might be sending out spam or phishing emails without their knowledge. In fact, Microsoft may automatically block a mailbox from sending email if it detects spam-like behavior[2]. Check the Sent Items and Deleted Items folders for messages the user didn’t send, especially bizarre pleas for help or money (e.g. “I’m stuck abroad, send money”)[2].
Suspicious Inbox Rules: Attackers often create inbox rules to hide their activities. For example, rules that auto-forward emails to an unknown external address or move certain messages (like security alerts) to folders like Junk, RSS Feeds, or Notes are a red flag[2]. These rules help the attacker covertly forward or conceal communications.
Missing or Deleted Emails: Important emails might go missing. This could indicate the attacker is deleting notifications or moving messages to obscure folders to cover their tracks[2].
Changes to User Profile: Any unexpected changes to the user’s profile or contacts could indicate tampering. For instance, if the user’s name, phone number, or address in the Global Address List was altered without reason, that’s suspicious[2].
Password and Access Anomalies: Be alert to unexplained password changes or frequent account lockouts. If the user reports being locked out often, or you see multiple failed login attempts, someone might be trying to brute-force the account[2]. Also, if the password was suddenly changed (and not by the user or admin), that’s a sign of compromise.
External Forwarding Enabled: Auto-forwarding of email to external addresses that the user never configured is a common sign. A newly added forwarding address (especially to a suspicious domain) is a strong indicator of a breach[2].
Odd Email Signatures or Settings: Check if the email signature or reply-to address was changed to something unusual (e.g. an attacker might add a fake company signature or a scam message)[2]. Also verify if any mailbox delegates or sharing permissions were added unexpectedly.
Alert from Security Tools: Microsoft Defender or the Security Center might flag the user as “at risk” or issue alerts about unusual sign-in locations, impossible travel (logins from distant locations in a short time), or other suspicious activities if such monitoring is in place.

Any one of these symptoms should prompt an investigation. In many cases, the user themselves or colleagues might notice odd emails being sent, or the admin might receive an alert. Once you have suspicion, proceed with the response steps immediately.

Immediate Response: Contain and Secure the Account

Upon suspecting a breach, speed is essential. Your first objective is to contain the incident – prevent the attacker from doing more harm – and secure the affected account. Below are the urgent steps to take:

1. Disable or Lock the Account – Immediately prevent further access by the attacker. The safest approach is to disable the compromised user account (temporarily block sign-in) until the investigation is complete[2]. This ensures the attacker (and even the user) cannot log in. If you cannot disable it (or if that’s too disruptive initially), then reset the user’s password right away[2]. When resetting:

Use a strong, unique password that the attacker can’t easily guess[2]. Include a mix of upper/lowercase letters, numbers, and symbols.
Do not email the new password to the user[2] – communicate it out-of-band (e.g. via phone or in person), since the attacker may still have mailbox access.
If your environment syncs with on-premises Active Directory, reset the password there and force a sync. Reset it twice if possible to mitigate any “pass-the-hash” token persistence[2].
Enforce Multi-Factor Authentication (MFA) if not already enabled[2]. Turn on MFA for the account (and preferably for all accounts, see best practices below). MFA adds a critical additional verification step and drastically reduces the chance of reuse of stolen credentials. Microsoft reports that over 99.9% of compromised account incidents involve accounts without MFA enabled[3], so this is one of the most effective safeguards.

2. Revoke Active Sessions and Tokens – Even after a password reset, an attacker might have a session token that keeps their login alive. You need to forcefully sign the user out of all sessions to kick out the intruder. In Azure AD (Microsoft Entra ID), use the option to revoke user sessions (there’s a PowerShell cmdlet Revoke-MgUserSignInSession or an Azure portal button for this)[2][2]. This invalidates any refresh tokens the attacker may be using, prompting for the new password and MFA. Essentially, it shuts the door on any active sessions immediately.

3. Check MFA Devices and Methods – If the account was already using MFA, verify the attacker didn’t register their own authentication device. In the Microsoft Entra admin center, review the MFA settings for the user (phone numbers, authenticator apps, etc.)[2]. Remove any unfamiliar phone numbers or devices that have been added by the attacker[2]. This ensures the attacker cannot bypass security by using a device or app they registered. While there, double-check that only the correct MFA methods are configured.

4. Remove Suspicious Email Rules and Forwarding – Attackers often try to maintain access or siphon data via malicious email rules. Examine the user’s mailbox for any inbox rules or forwarding addresses that the attacker may have set up[2][2]. Focus on:

External Forwarding Addresses: In Exchange Online, check if SMTP forwarding is enabled on the mailbox to an external address[2][2]. Also look for Inbox rules that forward or redirect messages to another address[2]. Remove any rules or forwarding that the user didn’t set themselves.
Hidden or obfuscated rules: Some rules might be hidden or have innocuous names. Look at all rules (enabled/disabled) for any that move or copy messages to unusual folders or external recipients[2]. Delete anything suspicious.
Auto-reply or deletion rules: Similarly, remove any rule that auto-deletes certain messages or auto-responds with unusual messages. These could be part of the attacker’s cover-up or further phishing attempts.

By cleaning up these rules, you stop any ongoing data exfiltration (like forwarding emails out) and ensure the user will receive all their emails normally once back in control.

5. Remove Unauthorized Applications and Sessions – Check if the attacker granted any OAuth access or added any apps to the account:

In Azure AD, review the user’s app registrations or consented permissions. If you spot any unfamiliar third-party application that has access to the user’s data (via OAuth consent), revoke that access[2]. For instance, an attacker might have tricked the user into granting a malicious app permission to read emails. Removing the app’s access will block that route.
Also review any active mailbox sessions or mail apps. In the Exchange admin center, you can see if there are any mobile devices connected to the mailbox (and you can wipe or block unknown ones). If an attacker added a new smartphone to receive mail, remove it.
If the user had any delegations (like another user granted send-as or full access rights recently), verify those are legitimate. An attacker who compromised an admin account might abuse roles, but for a single user compromise, focus on that user’s access.

6. Check and Remove Illicit Admin Role Assignments – Typically a regular user won’t have admin roles, but it’s worth verifying the affected account’s roles. In Azure AD, list the directory roles assigned to that user[2]. If the attacker managed to assign the user a role like Global Admin or any elevated role (this would be rare without prior admin access), remove those roles immediately[2]. Ensure the account is back to its intended privilege level. This step is mostly precautionary for completeness.

7. Scan the User’s Devices for Malware – If the user’s computer or phone was used in the breach (for example, they fell for a phishing email that installed malware or a keylogger), that device could be compromised. Microsoft 365 Business Premium includes Microsoft Defender for Business (endpoint protection). Use it or another antivirus to run a full scan on the user’s devices. Look for malware, keyloggers, or unauthorized remote access tools. Remove any found threats and ensure the device is patched and secure before the user logs in again. If the device is heavily compromised, consider reimaging it. This step helps ensure the breach wasn’t a result of local device compromise and that the attacker hasn’t left backdoors.

By completing these containment steps, you lock out the attacker and start regaining control of the account. The account should remain disabled (or the user kept off it) until you finish further investigation and remediation. Now that the immediate threat is contained, you can delve into investigating the scope of the breach.

Investigating the Breach

With the account secured from further abuse, the next phase is to investigate what happened and assess the impact. Microsoft 365 provides logs and tools that can help determine how the account was breached and what the attacker did while they had access. Here are the key investigation steps:

1. Review Sign-in Activity (Azure AD Logs) – In the Microsoft Entra ID (Azure AD) admin center, check the Sign-in Logs for the compromised account[2]. These logs show every login attempt, including successful authentications and failures. Key details to look for:

Sign-in Time and Location: Identify any login times that the user wasn’t active, or locations/IP addresses that are unusual for your organization[2]. For example, if your user is based in New York and suddenly there were successful logins from overseas or at 3 AM local time, that’s indicative of attacker activity.
Client App/Protocol: See if the logins were via web browser, mobile, IMAP, etc. A compromised password might be used by attackers via legacy protocols (IMAP/POP) to bypass MFA. If you see successful IMAP logins (and you don’t expect them), that’s a sign the attacker used legacy authentication.
Sign-in Status and MFA: Note if there were multiple failed attempts before a success, which could indicate a brute-force or password spray. Check if MFA was challenged and whether it passed or was skipped (e.g. “MFA requirement satisfied by claim” means a token refreshed without MFA – possibly an attacker with a persistent session).

These logs help establish when the account was first accessed by the attacker, and from where. Make sure to adjust the time range to cover from just before the suspicious activity was noticed up to present[2]. If your license includes Azure AD Identity Protection (AAD P2 is usually needed, not in Business Premium by default), also review any Risky Sign-in or Risky User alerts. Even without P2, Azure AD may flag “unfamiliar sign-in properties” or “impossible travel” in sign-in logs.

2. Audit Microsoft 365 Activity Logs – Enable and search the Unified Audit Log (in the Microsoft Purview Compliance portal or Microsoft 365 Defender portal)[2]. This log aggregates activities from across Exchange, SharePoint, OneDrive, Azure AD, etc. Search for actions related to the compromised account. Important things to look for in the timeframe of the breach:

Mailbox Activities: Look for any mailbox settings changes. Audit log entries like “Set-Mailbox”, “Set-InboxRule”, “Add-MailboxPermission”, or “Update” actions on the mailbox could show when forwarding was added or rules were created. Also search for mailbox login events and mail send events by that user.
Email Send/Delivery: Use Message Trace (in the Defender portal or Exchange admin center) to see messages sent from the account during the breach[2][2]. Identify who received those emails; this helps in knowing if the attacker tried to phish internal or external people using this account. Check the contents if possible (look in Sent Items) to understand the attacker’s aim (spam, fraud, etc.).
SharePoint/OneDrive Access: If the user had access to sensitive files, search the audit log for file access or download activities by this user that are out of the ordinary. An attacker might try to steal data. For example, see if there were mass file downloads or sharing link creations by the account.
Azure AD Changes: See if the account was added to groups, or if any other user accounts or settings were modified by this account. If so, the breach impact might be broader (e.g., adding to an admin group). Also check if any other accounts show signs of suspicious activity around the same time – the attacker might have tried multiple accounts.

Tip: Start with broad searches in the audit log (don’t filter too narrowly initially)[2]. For instance, filter by the user and a date range, and review all activities. Once you spot something, you can drill down further. Audit logs will help you pinpoint the actions of the attacker, the timeline of the compromise, and any changes made.

3. Assess Email Forwarding and Delegation – Confirm if (and when) forwarding was set up. From our earlier step we removed any forwards; now note when they were created and where they were pointing[2]. This tells you if the attacker was exfiltrating mail to a specific address (save that indicator for future blocking). Also check if the attacker added any ** mailbox delegates** (granting another account access to this mailbox) in the audit log. Remove those if found, and include it in the incident timeline.

**4. Check for *Illicit Consent* Grants** – If not already done in containment, verify in Azure AD’s Enterprise Apps > User settings if any OAuth consent was granted by this user to a malicious app[2]. The audit log might show an entry for “Consent to application” if the user was tricked into granting access. Attackers sometimes use OAuth apps to maintain access without needing the password. If such an app exists, revoke its permissions (and consider globally disabling user consent or requiring admin approval for new apps to prevent this in future – see best practices section).

5. Examine the User’s Devices – Investigate whether the compromise might have started from a device. Check the device compliance or logs if the user’s machine is managed by Intune. Look at recent antivirus alerts from that device (in Microsoft Defender Security Center) if available. The goal is to see if malware or token theft on the device played a role. If a device is suspect, keep it offline until it’s cleaned and secure.

6. Determine the Cause (Phishing, Password Leak, etc.) – While investigating, gather clues about how the attacker got the password or access. Common causes in Microsoft 365 environments include:

Phishing Email: The user might have received a convincing phishing email and entered their credentials on a fake login page. Check the user’s mailbox for any phishing emails or strange login alerts around the time of compromise. If found, that phishing email should be reported and other recipients warned.
Password Re-use or Weak Password: Perhaps the user’s password was leaked from another breached site and tried on O365. If you suspect this, consider urging a password change for other users or enabling banned password checks.
Legacy Protocol / No MFA: The attacker might have exploited the absence of MFA by using legacy email protocols (IMAP/POP/SMTP Auth) that only require username/password. Signs of this include IMAP login entries without MFA. This often means the organization hadn’t blocked legacy authentication.
Brute Force/Password Spray: If logs show many failed logins from various IPs, the account could have been guessed via password spray (trying common passwords on many accounts).
Token Theft: If the user had malware, the attacker could have stolen an active session token. Harder to detect, but device forensics might show that.

Understanding the root cause will inform what preventative changes are needed to stop similar breaches. Document the timeline of events: when the initial breach likely happened, how long the attacker had access, and what they did during that period.

7. Involve Microsoft Support if Needed – If you need deeper analysis (for example, if multiple accounts are affected or you suspect a broader breach), consider opening a case with Microsoft Support. They can assist with incident response, run deeper diagnostics, or involve their investigation teams if necessary. In severe cases (like a high-profile breach or many users compromised), Microsoft’s DART (Detection and Response Team) or a security partner might be engaged. For a single-user incident, usually the above steps are sufficient for investigation, but the support option is there if you require help or if something isn’t adding up.

By the end of the investigation, you should have a clear picture of what the attacker did and how they got in. For example, you might conclude: “Attacker phished the user via a fake SharePoint email, logged in from Nigeria on June 1 at 2AM, sent 50 phishing emails to contacts, and set up forwarding to external address X.” With this information, you can now fully remediate the damage and restore the user’s account safely.

Recovery and Remediation Steps

After containing the threat and investigating the incident, the next step is to restore normal operations for the user and remediate any changes the attacker made. It’s also time to implement fixes so that the attacker (or others) can’t easily repeat the breach. Work through the following:

1. Restore Account Access to User – If you had disabled the account, you can now re-enable it after you have taken all precautionary steps (password reset, MFA enabled, etc.)[2]. Make sure the user’s new credentials and MFA are working for them. Monitor the account’s login closely for a while after restoration. If the user’s mailbox was blocked from sending email (e.g., by Microsoft for sending spam), you will need to remove them from the Restricted Users list in the Security portal[2]. This action is required to allow the user to send email again once you’re confident the account is secure. Always do this after securing the account to avoid the attacker abusing the reinstated access.

2. Communicate with the User – Inform the affected user (and possibly their manager or IT security team) about what happened. Explain that their account was compromised, but steps have been taken to secure it. Instruct the user to be vigilant: e.g., if they receive any further unusual alerts or if they had reused their corporate password elsewhere, they should change it there too. It’s important the user is on board with any new security steps (like MFA usage, which might be new to them). Also, advise them on how to spot phishing emails in the future, since user vigilance is key.

3. Remove Any Residual Malicious Content – The attacker’s access could have left behind unwanted content. Examples: malicious emails in the user’s mailbox (phishing emails in their Sent folder or drafts). Work with the user to identify and delete any lingering phishing messages or malware. If the breach involved malware, ensure it’s quarantined or removed across the organization using Microsoft Defender. Microsoft Defender for Office 365 (if part of your Business Premium) can scan for and purge known malicious emails from all mailboxes[1]. Use these tools to clean up anything the attacker introduced (e.g., remove any phishing emails the compromised account sent to others by doing a content search and delete).

4. Data Recovery (if needed) – If the attacker deleted or altered data, you’ll need to recover it:

Email: Check the user’s mailbox Recoverable Items (the “deleted item recovery” or “dumpster” folder). You can search and restore emails that were soft-deleted. If the attacker emptied the Deleted Items, those emails can often still be recovered within the retention period. In Exchange Online, an admin can perform a mailbox content search or use eDiscovery to find and restore lost emails.
OneDrive/SharePoint: If files were deleted or corrupted, use the Recycle Bin in OneDrive/SharePoint to restore them. SharePoint keeps deleted files for a period (93 days by default). OneDrive has a feature to restore your OneDrive to a previous date (useful if ransomware encrypted files or a mass deletion occurred). Version history on files can also retrieve earlier clean versions.
Contacts/Calendars: If the attacker wiped out contacts or calendar entries, see if those can be imported from backups or if they might still exist on a mobile device cache to be synced back.
Device Recovery: If a device was heavily impacted (e.g., needed reimaging due to malware), ensure the user’s data is restored from backups or cloud storage. For instance, if they had Desktop/Documents synced to OneDrive Known Folder Move, those can be pulled down again on a new machine.

In summary, verify that the user’s data and productivity tools are back to normal. If nothing was deleted, great – but double-check that integrity. If something was lost and not recoverable (rare if you act quickly and have retention in place), note it as part of the incident impact.

5. Lessons Learned and Password Policy – Recommend the user (and all others) to never reuse their work credentials on other sites. If the investigation suggested a weak or reused password was a factor, this is an opportunity to improve your password policies. For instance, you might enable banned password lists or password protection so users can’t set common passwords. Also, consider shorter password expiry in favor of encouraging longer passphrases plus MFA (modern guidance leans toward not forcing frequent changes, but rather having strong passwords + MFA). If many failed attempts were seen, you might increase account lockout sensitivity. These measures help reduce the chance of another breach via password guessing.

At this stage, the compromised account is secured, the user can work again, and any immediate damage has been repaired. The focus should now broaden to fortifying your overall security to prevent other accounts from being breached in the future.

Strengthening Security and Preventing Future Breaches

Once you’ve handled the incident, it’s critical to implement preventative measures and improve your security posture. Microsoft 365 Business Premium offers various features to help protect user accounts. Here are best practices and steps to strengthen your tenant’s security against future attacks:

1. Enforce Multi-Factor Authentication for All Users – MFA is arguably the single most effective measure to prevent account takeovers. Ensure that all user and admin accounts require MFA (use Authentication app, FIDO2 keys, or at least phone SMS/call as last resort)[2]. Business Premium allows you to use Azure AD Conditional Access or Security Defaults to enforce MFA. Remember the earlier statistic: 99.9% of account breaches involve no MFA[3]. By enforcing MFA, even if passwords are compromised, attackers are stopped by the second factor. This should include service accounts – if they can’t do MFA, secure them with strong randomly generated passwords and conditional access restrictions.

2. Disable Legacy Authentication Protocols – Legacy authentication (such as basic auth for IMAP/POP/SMTP and older Office clients) does not support MFA and is a common entry point for attackers using leaked passwords[3]. Microsoft has deprecated basic auth in Exchange Online, but ensure it’s truly disabled: Create Conditional Access policies to block legacy authentication protocols for all users[3]. This ensures that attackers cannot use IMAP or other legacy methods to bypass MFA. If some old device or application requires it, plan to update or secure it, rather than leaving a hole open.

3. Use Conditional Access Policies – With Azure AD Premium P1 (included in Business Premium)[5], you can create Conditional Access policies to tighten security. Some recommended policies:

Require MFA for all users or at least for all sensitive apps and when off the trusted network. If not using Security Defaults, define a CA policy: MFA for all users on cloud apps.
Restrict Access by Location or Device: For example, if your employees mostly work in certain countries, you can block sign-ins originating from other regions entirely (or require MFA every time from abroad). Likewise, you can require that admin accounts only sign in from managed devices or specific IP ranges.
Require Compliant or Hybrid-joined Devices: If you manage devices with Intune, you can require that only devices meeting your compliance standards (patched, AV enabled, not jailbroken, etc.) can access certain services. This thwarts attackers on unknown devices.
Block Access to Risky Apps: You might create policies to block OAuth applications that are not approved, or use terms of use that users must accept (to deter programmatic attacks).

Conditional Access is a powerful tool to enforce security conditions organization-wide, adding layers of defense beyond just credentials.

4. Maintain Up-to-Date Security Configurations – Regularly review your tenant’s security settings:

Unified Audit Log: Make sure it’s enabled (it should be on by default now, but verify)[3]. Without audit logs, detecting breaches is much harder. Also, Mailbox Auditing should be on (it is by default these days)[3] so that actions like mailbox item deletions or rule creations are logged.
Anti-Phishing and Anti-Malware Policies: In the Microsoft 365 Defender portal, ensure Defender for Office 365 policies (Safe Attachments, Safe Links) are enabled to catch malicious emails and attachments. Business Premium includes Defender for Office 365 Plan 1, which has anti-phishing protection. Tune these policies to tag or quarantine suspicious emails.
Email Forwarding Controls: Consider disabling automatic external forwarding tenant-wide, except for specific needs. You can use an Exchange transport rule or set the outbound spam preferences to block external forwarding[3]. This way, even if an account is compromised, the attacker can’t auto-forward emails out without detection. At minimum, audit and get alerts on any new forwarding rules set up.
Consent to Apps: Configure Azure AD Admin consent workflow so that users cannot independently grant high-privilege permissions to OAuth apps[3]. This forces an admin to review any third-party app asking for data access, preventing the “illicit consent grant” attack vector.
Microsoft Defender for Business (Endpoint): Deploy Defender for endpoint on all company devices (it’s included). Ensure devices are onboarded so you get alerts on malware or suspicious behavior. Enable features like attack surface reduction rules and network protection if possible, which can prevent common attack actions.

5. Continuous Monitoring and Alerts – Don’t wait for a user to report an issue; set up your environment to alert you proactively:

Use the Security & Compliance Center alert policies or Defender portal alerts. For example, enable alerts for multiple failed login attempts, impossible travel, or unusual mail forwarding creation. Microsoft Cloud App Security (Defender for Cloud Apps) – if you have it or plan to add – can provide rich anomaly detection (like impossible travel alerts or detection of mass downloads).
Regularly review the Secure Score in Microsoft 365 Security Center. It will highlight recommended actions to improve security configuration (e.g., enabling MFA, disabling guest access if not used, etc.). This can serve as a checklist for hardening your tenant.
Periodically audit admin accounts and roles. Ensure least privilege – only give users the admin roles they truly need, and use Privileged Identity Management (if available) for just-in-time admin access.
If feasible, implement Azure AD Identity Protection (requires Azure AD P2 or equivalent). This can automatically detect and remediate risky sign-ins (for example, by forcing a password reset for a confirmed compromised account). If you don’t have P2, be extra vigilant with reviewing sign-in logs manually.

6. User Education and Training – Technology alone isn’t foolproof; user awareness is a vital layer of defense. Educate your users on security best practices:

Conduct training sessions on how to recognize phishing emails, suspicious links, and other social engineering tactics. Emphasize that users should never enter their M365 credentials on pages that came from an email link without verification. Regular cybersecurity awareness training helps users spot scams. User education is the first line of defense against phishing attacks in Office 365[4]. Regular training and simulated phishing exercises can dramatically reduce the likelihood of a real compromise.
Encourage users to report anything odd. Implement the “Report Phishing” or “Report Message” add-in in Outlook for users[3]. This makes it easy for them to flag suspicious emails to Microsoft and your security team. Users should know how to quickly get in touch with IT if they suspect their account or device might be compromised (e.g., after accidentally clicking something). Prompt reporting can cut short an attack.
Share policies about acceptable use of corporate credentials (e.g., don’t use your work email & password to sign up on random third-party sites or services).
Foster a culture where security isn’t just IT’s job but everyone’s responsibility. For instance, if an employee notices a colleague’s account acting strangely (like odd emails from them), they should feel empowered to notify IT immediately.

7. Keep Software and Devices Updated – Ensure all user devices, browsers, and Office apps are up to date with the latest security patches. Attackers often exploit unpatched vulnerabilities to gain access or escalate privileges. Use Intune (Endpoint Manager) to enforce updates and security compliance on devices if possible. A well-patched environment removes many opportunities for attackers.

By implementing these preventative measures, you significantly reduce the risk of another account breach. Microsoft 365 Business Premium gives you a solid toolset (MFA, conditional access, Defender, etc.) – use them to their full extent. Over time, continuously improve by reviewing incidents (like this one) and adjusting policies as needed.

Reporting the Incident and Next Steps

Finally, consider the reporting and notification aspects of a security incident:

Internal Notification: Inform your organization’s relevant stakeholders about the breach. This may include your management, IT security team, and possibly legal or compliance officers depending on severity. Transparency is important; describe which account was affected, how the issue was resolved, and what is being done to prevent a recurrence. This builds trust and ensures everyone is vigilant.
Notify Affected External Parties: If the compromised account sent out phishing emails to clients or partners, you should reach out to those external contacts to warn them. For example, if customers received malicious emails from the user, send them a notice to ignore those messages and that your company is taking care of the issue. This can help prevent any secondary harm.
Regulatory Reporting: If the breach involved sensitive data (personal data, financial info, health information, etc.), you may have a legal obligation to report it to authorities or regulatory bodies. For instance, data protection laws (like GDPR) require notification within a certain timeframe if personal data was exposed. Assess whether this incident triggers any such requirement. For a single user email breach, often the impact is limited, but if, say, PII was accessed or emails with customer data were stolen, you might need to report. Consult with legal/compliance advisors on this.
Report to Microsoft (Support): While there isn’t a formal “breach hotline” for Microsoft 365, you can and should involve Microsoft Support for significant incidents. Since you already may have opened a support case during investigation, keep that updated with your findings. Microsoft can use the incident details to improve their detection algorithms. Also, Microsoft’s security team might reach out if, for example, they detected the account sending out malware – be responsive and let them know the actions taken. Additionally, you can report malicious emails or files to Microsoft for analysis using the submission process (through the security portal)[2], helping improve their filters.
Law Enforcement: In cases of fraud (e.g., if the attacker attempted financial theft or succeeded in tricking someone into sending money), consider involving law enforcement. Business Email Compromise schemes often are part of larger criminal operations. Reporting to law enforcement can potentially assist in investigations beyond your company. They may ask for logs and evidence you gathered.

Document the incident thoroughly – this documentation may be needed for any reports and is useful for post-incident review. Include the timeline, impact, actions taken, and recommendations for future.

Conclusion

A suspected user account breach in an M365 Business Premium environment is a serious incident, but by following a structured response process, you can contain the damage and secure your organization’s data. Quickly identifying the warning signs of compromise and taking immediate action (disabling the account, resetting passwords, removing malicious rules, and enabling MFA) are crucial first steps. Leveraging Microsoft 365’s built-in audit logs and security tools allows you to investigate what happened and ensure all malicious access is removed. Once the user’s account is secured and restored, focus on strengthening your defenses: enforce best practices like MFA, conditional access, disabling legacy auth, and educating users on security awareness.

Microsoft 365 Business Premium provides a robust set of security features – from Defender for Office 365 to Intune device management – use these to create a layered defense that makes it hard for attackers to succeed. User education and vigilant monitoring complement these technical measures, forming a holistic security posture. In summary, the steps to follow for a suspected breach are: detect, contain, eradicate, recover, and improve[1]

References

[1] Incident Response Best Practices for Microsoft 365: What to Do After a …

[2] Responding to a Compromised Email Account – Microsoft Defender for …

[3] Office 365 Best Practices: 7 Steps to Mitigating Business Email … – Aon

[4] Office 365 Security Best Practices – Check Point Software

[5] MICROSOFT 365 BUSINESS PREMIUM – omninet.co.nz