I have a user who reported that spam emails were sent from their account to everyone in their contact list, and these emails ended up in the Deleted Items folder. After a quick check, I noticed there were both interactive and non-interactive logins from a different IP address. I advised them to shut down their PC and I reset their email password.
Is this a usual issue with Microsoft 365, or does it mean the user's computer was compromised? Also, what measures do you recommend to handle situations like this?
4 Answers
I agree with the consensus; the account is likely compromised. A phishing scam could be to blame. Besides changing the password, you should revoke any active sessions and check for strange Outlook rules. It's crucial to act quickly to minimize the damage.
Looks like a compromised account to me! The emails going straight to the Deleted folder hints at a rule set by an attacker. First off, reset the password, then reset MFA, and look for any unauthorized activity and devices accessing the account.
There are a few possibilities at play here:
- The user might have consented to a malicious app.
- They could have an infostealer on their device, so checking personal devices is key.
- An unauthorized third party could have signed in remotely.
- Their password may have been brute-forced, so implementing Azure authentication policies can help in the long run.
This issue isn't rare. Keep an eye on any new devices linked to their account.
It definitely sounds like their account has been compromised. Make sure to check their Outlook Rules because often attackers set up rules to delete evidence of their activities. It's not uncommon for them to also schedule emails to be sent out at specific times to avoid detection.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures