365 Compromised

Question

I am a microsoft admin and partner. My microsoft 365 domain, azure, service workers and licenses have been highkacked. I camt get into my tenamta or admins. I cant access my packages or benefits. My emails and main users have been highjacked to to theft of my devices and harddrives and source code. Google console and firebase is effected. Authenticator is not working. I cant recover my main admin emails or tenants. Exhange and 443 ports are highjacked and forced redirected. Cloudflare is also highjacked and Godaddy. They use Ecc Curve and browsers whatsapp and copilot. As admin and partner i get alot of requeats from people trying to access admin portals but my admin portals have been redirected by hackers. Ive tried logging support with Psira, Treasury, Microsoft and Firebase and Google. But seems to also be compromised. Office 365 and azure data studio compromised. Please help me urgently people ar3 highkacking my applications and authority and identity Live accounts hotmails etc are not been recovered. My domains are highjacked.

Answer 1

Hello @adrianaventer-3830

I know your situation is very urgent and challenging, but because of that, I want to clarify quickly with you that you should seek support as soon as possible from people who are actually authorized to help you in this case, which is the Microsoft Data Protection team. Please kindly reach out to them and prepare all the necessary information so they can quickly help you regain everything.

In this case, I would like to share a detailed workflow that many users have used successfully to contact the Microsoft Support team.

Please try to find the related hotline number to call the frontline let them raise a ticket for you: Customer service phone numbers - Microsoft Support

If you can use English, you may prefer these numbers as well:

(Important Note: Depending on your country or region, when you call the support number, you may hear an introduction of about 30 seconds such as "you can visit the link...". You can ignore this introduction and wait until you are presented with the options. Then press "1" as a business email user, and again "1" for technical help.)

In some countries, this is an automated conversation: First, when you call the hotline, they will ask you what kind of problem you are struggling with.

Answer: Authenticator.

A: What products do you use?

B: Office 365 for business.

Verification: Education or company account?

B: For companies

A: Are you an administrator?

B: Yes.

A: Are there any other administrators in your organization?

B: No.

A: I need one.... Service request?

B: Yes  

If your organization's Office 365 Business subscription is from a partner or reseller, and the global administrator is unable to open a service request on your end, contact the reseller's support provider to help open a service request on behalf of you instead.

Please try 2 or 3 times until you can reach out to an agent.

---

Note: Please follow the steps in "our documentation" to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

My laptop is clined and my phones and users. I need internal assistance please

Answer 3

Ive done most but i cant access the main accounts to do anything cam microsoft assist me

Answer 4

Given the scale of compromise (tenants, domains, devices, multiple cloud providers), immediate containment and formal incident handling are required. Use the following steps, prioritizing identity and tenant security in Microsoft Entra ID / Microsoft 365 and Azure.

1. Contain and remediate compromised identities

• Immediately change credentials for all tenant admin and Azure RBAC owner accounts where sign-in is still possible. Follow the password guidance in Password policy recommendations.
• Ensure all remaining tenant admins and RBAC owners have multifactor authentication (MFA) registered and enforced. See Require multifactor authentication.
• In Microsoft Entra ID, review which users, tenants, and subscriptions are at risk using the Users at risk view in the Azure portal, then:
  • Investigate risk via Identity Protection risk reports.
  • Remediate risks and unblock users using the Identity Protection remediation guidance.

2. Revoke access and block attacker activity

• For each compromised or suspected account, revoke all active sessions and access tokens so attackers lose current access. Use the Revoke user access in an emergency in Microsoft Entra ID guidance.
• In Microsoft Entra ID Protection (if available), mark relevant accounts as Compromised and enable risk-based policies so risky sign-ins are blocked or forced to remediate.
• Block known attacker IP addresses at the appropriate layer:
  • If using cloud authentication, block IPs in Microsoft Entra ID or Defender for Cloud Apps.
  • If federated (AD FS), block IPs at the firewall in front of AD FS.
• Enable Microsoft Entra multifactor authentication for all users, prioritizing admins and high-value accounts.

3. Secure compromised Microsoft 365 mail-enabled accounts For each mailbox that shows compromise symptoms (forwarding, rules, spam, etc.):

• Reset the account password. If the account is synced from on-premises Active Directory, reset the password in AD and reset it twice to mitigate pass-the-hash risk (see Set-ADAccountPassword). If the identity is federated, change the password in the on-premises environment.
• Update app passwords: delete existing app passwords and create new ones, because app passwords are not automatically revoked when the password is reset.
• Enforce MFA on all compromised and admin accounts. See Set up multifactor authentication and Require phishing-resistant MFA for admins.
• Revoke user access using Microsoft Graph PowerShell:
  • Install and import Microsoft.Graph modules as needed.
  • Connect with:

        Connect-MgGraph -Scopes User.RevokeSessions.All
    

  • Revoke sessions:

        Revoke-MgUserSignInSession -UserId <UPN>
    

• Review MFA registered devices and methods for each affected user and remove any unrecognized devices or methods. See Manage user authentication options.
• Review applications with user consent and revoke any that should not be allowed. See Application review.
• Review administrative roles assigned to each user and remove any roles that should not be present (Azure RBAC roles, Entra roles, Defender/Purview roles).

4. Clean up malicious mail rules and forwarding

• Connect to Exchange Online PowerShell.
• Check for mailbox-level SMTP forwarding:

    Get-Mailbox -Identity <Identity> | Format-List Forwarding*Address,DeliverTo*
  

  Remove any forwarding to unknown or attacker-controlled addresses.
• Enumerate inbox rules, including hidden rules, and remove suspicious ones:

    Get-InboxRule -Identity "<MailboxOrRuleIdentity>" -IncludeHidden | Format-List
  

• Review and control automatic external email forwarding as described in Control automatic external email forwarding.

5. Investigate the scope of compromise

• Use Microsoft Entra sign-in logs and audit logs to review:
  • IP addresses
  • Sign-in locations
  • Times
  • Success/failure Identify anomalous sign-ins and timeframes.
• Use Azure audit logs to understand changes to subscriptions, RBAC, and resources.
• In the Microsoft Defender portal, search audit logs for suspicious activity across Exchange, SharePoint, OneDrive, and other workloads. Start with a broad date range from just before the first suspicious activity.
• Use Message trace in the Defender portal and Sent Items in Outlook/OWA to identify malicious or BEC-style messages sent from compromised accounts.
• For broader token theft scenarios, follow the token theft playbook containment tasks:
  • Change passwords for suspected accounts.
  • Block users and revoke access.
  • Enable MFA and Entra ID Protection risk policies.
  • Determine compromised data across email, SharePoint, OneDrive, and apps.

6. Handle potentially compromised Azure subscriptions

• Immediately change credentials for tenant admins and RBAC owners on all affected subscriptions.
• Verify and correct admin user password recovery emails and phone numbers in Microsoft Entra ID.
• Review which users, tenants, and subscriptions are at risk via the Users at risk view and Identity Protection risk reports.
• Remediate risks and unblock users using Identity Protection guidance.

7. If personal Microsoft accounts (Outlook.com/Hotmail/Live) are taken over

• Follow the official Microsoft account recovery process for hacked or compromised Microsoft accounts:
  • Clear local devices of malware first (run a full antivirus scan, ensure Windows Defender or another AV is up to date).
  • Change or reset the Microsoft account password using the official flows.
  • Review account settings: connected accounts, forwarding, and automatic replies.
• If the account recovery web form fails and security info has been replaced, there is no alternate technical method to recover the personal account; support cannot override the automated ownership checks.

8. When support channels appear compromised or ineffective

• Use a separate, known-clean device and network (for example, a different ISP or mobile hotspot) to access Microsoft portals and support.
• For personal accounts, use the official recovery article and account recovery form as described in the referenced guidance.
• For partner/tenant issues, continue working through official Microsoft support and security escalation paths from a clean environment.

Given the breadth of compromise (devices, domains, multiple cloud providers), also involve internal security/IT leadership and, if applicable, local law enforcement or cybercrime units, as this is a full identity and infrastructure takeover scenario.

---

References:

• Respond to a compromised cloud email account
• Secure and Restore Email Function to a Compromised Microsoft 365 Mail Enabled Account
• Common symptoms of a compromised Microsoft 365 email account
• What should you do if an Azure subscription is compromised?
• Token theft playbook
• How to recover a hacked or compromised Microsoft account
• My account got hacked.
• How do I send an email to Microsoft about my account being hacked and taken over by <removed> ? - Microsoft Q&A
• My account got hacked
• Hacker set up continuous draft ransomware email - Microsoft Q&A