Microsoft 365 email compromised and leakage fix.

Neko Chang Taiwan 5 Reputation points

Hi All

One of our Microsoft 365 user email has been compromised. Someone is able to send emails that appear to be from the user from that account to many recipient via his address book (Blue/Red cube) as follows.
User's image

But stranger problem occurred, perpetrator had injected users into "Active user" @ Microsoft 365 admin center from addresses book of our compromised user as follows

User's image

User type=Guest @ Microsoft Entra admin center

After the problem found

  1. Modified Administrator password immediately
  2. Revoke multifactor authentication sessions.
  3. Block user login, unblock after user modified password.

I checked user authentication methods, MFA ready, looking good as follows.

User's image
Login log after user modified password, red cube=perpetrator, green cube=Our user.

User's image

Question & leakage fix

  1. Why can perpetrator could injected user into "Active user"?
    How can to prevent it?
  2. Current, Security defaults = on as follows
    User's image
    But perpetrator could be bypass MFA look like, is MFA enabled but not enforce meant?
  3. If above #2 is true, how can I do enforce MFA correctly?
    I found 1st relation items is follows @ Microsoft 365 admin center
    User's image
    After "View recommendation" clicked, shown as follows
    User's image And found 2nd relation items is follows @ Microsoft Entra admin center
    PS: I have no any policy @ Conditional Access.
    User's image
    I got confusing. Is both equal (either one is OK)?

Could all please help me with this?

Thanks a lot

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,986 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Shawn Collins 615 Reputation points

    You're on the right track, you'll want to set a Conditional Access policy that forces MFA for All users. Also, you should not only pull the MFA sessions but also require a re-register.