Microsoft 365 email compromised and leakage fix.

Question

Hi All

One of our Microsoft 365 user email has been compromised. Someone is able to send emails that appear to be from the user from that account to many recipient via his address book (Blue/Red cube) as follows.

But stranger problem occurred, perpetrator had injected users into "Active user" @ Microsoft 365 admin center from addresses book of our compromised user as follows

User type=Guest @ Microsoft Entra admin center

After the problem found

1. Modified Administrator password immediately
2. Revoke multifactor authentication sessions.
3. Block user login, unblock after user modified password.

I checked user authentication methods, MFA ready, looking good as follows.

Login log after user modified password, red cube=perpetrator, green cube=Our user.

Question & leakage fix

1. Why can perpetrator could injected user into "Active user"?
   How can to prevent it?
2. Current, Security defaults = on as follows
   
   But perpetrator could be bypass MFA look like, is MFA enabled but not enforce meant?
3. If above #2 is true, how can I do enforce MFA correctly?
   I found 1st relation items is follows @ Microsoft 365 admin center
   
   After "View recommendation" clicked, shown as follows
   And found 2nd relation items is follows @ Microsoft Entra admin center
   PS: I have no any policy @ Conditional Access.
   
   I got confusing. Is both equal (either one is OK)?

Could all please help me with this?

Thanks a lot

Answer 1

You're on the right track, you'll want to set a Conditional Access policy that forces MFA for All users. Also, you should not only pull the MFA sessions but also require a re-register.