Possible symptoms (incomplete)
Entra Sign-in Logs
In the Microsoft Entra Admin, if you go to Users -> All users -> select the user -> Sign-in logs -> change filter to 7 days (or 1 month), you see successful sign-ins that are not recognized.
Message Trace
In the Microsoft Exchange Admin, if you go to Mail Flow -> Message Trace -> Start a trace, then put in the hacked user in the Sender and do a search.
Message Rules
In the users Outlook Web Access, click on the settings wheel in the top right, then go to Mail -> Rules.
Remediations
Reset Password & MFA
In the Microsoft Entra Admin, go to Users -> All users -> select the user.
- Click Reset password to reset the users password. It will require them to change it.
- Click Revoke sessions to cause the user to get logged out everywhere. This may take 15 minutes.
- Go to Authentication methods, click on Require re-register multifactor authentication to revoke the MFA methods.
- Also under Authentication methods, if there are any authentication methods remaining, remove them.
Message Rules
In the users Outlook Web Access, delete the rules. Note what was happening to the messages (usually moving them to the RSS Feeds folder) and move them back to the inbox.
Recover Items Using PowerShell
Use this to find e-mails deleted in the last 7 days:
Connect-ExchangeOnline Get-RecoverableItems -Identity user@domain.com -FilterStartTime (get-date).adddays(-7) -FilterItemType IPM.Note
Use this to recover all e-mails deleted in the last 7 days. It will restore the items to their original locations/folders as best as it can. Otherwise into the default folders for that type.
Connect-ExchangeOnline Get-RecoverableItems -Identity user@domain.com -FilterStartTime (get-date).adddays(-7) -FilterItemType IPM.Note | Restore-RecoverableItems
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article