I have a situation with a user account that was compromised, leading to 2000 emails being sent out with a malicious link. I took immediate action by removing the harmful OneNote page and resetting the user's password and account info. However, it's been 24 hours and they're still unable to send or receive emails. I've sent a few test emails that show as delivered, yet the user isn't getting them. I've read that Microsoft can restrict email sending from compromised accounts, but I'm unsure of the proper steps to restore their access to email. Anyone have advice on how to troubleshoot this?
5 Answers
Make sure to analyze the inbox rules carefully. If the attacker created rules to send incoming messages to hidden folders, that could easily explain why they’re not seeing anything. Setting up alerts for new rules in OWA could help you prevent this in the future.
When accounts are compromised, threat actors often set up rules to delete or move emails automatically. Make sure to have the user's Outlook rules reviewed to spot any unusual configurations. It’s a common tactic to hide incoming messages from view!
Agreed! That's a smart move to check for!
As mentioned before, check that link for restoring access to blocked accounts. The malicious actor likely set up rules that disrupt the user’s normal email behavior. Fixing those rules could be key to resolving the email issue.
That’s really helpful! Thanks for sharing.
Always good to review email rules; they can be tricky!
You can also navigate to the O365 admin console under Security, then e-mail & collaboration, and finally review restricted entities. There you might find the user listed, and you can unblock them directly from that page. That could solve the issue if that's what’s going on.
Thanks for the info! I'll check that out now.
Great suggestion! This is usually the first step I recommend.
It's likely that the user is restricted from sending emails due to the compromise. You should check the link I provided for restoring access. Additionally, be aware that the threat actor might have set up Outlook rules that automatically move incoming emails to another folder, like the RSS folder, which can make it look like they're not getting any messages. Double check the inbox rules to ensure there’s nothing suspicious going on.
Yes, definitely take a look at those Outlook rules! They can really hide incoming messages.
Good point! Also, check if there are any rules that delete messages you might not catch right away.
Exactly! We had a similar case where all emails were sent to an unnoticed folder.