Check Point Email Security | Blog

Microsoft 365: What to Do When Your Account is Compromised

Written by Jeremy Fuchs | October 15, 2020

In January of 2020, 1.2 million Microsoft accounts were compromised. That's according to the company's own data. And, the company says, this is par for the course.

That is a staggering number. And though Microsoft said a lot of it was preventable, the fact remains that it happened.

So if you deploy Microsoft 365 in your environment, you are susceptible to a compromised account. 

What's the risk? We're talking hackers stealing credentials, sensitive information, money—and potentially infecting the entire organization.

Microsoft has a number of recommendations about what to do once when your account is compromised.

But if you use Avanan, you have the upper hand. Not only can we identify compromised accounts, but we also stop the sort of phishing attacks that lead to compromised accounts in the first place.

It's that type of proactive work that sets Avanan apart.

What to Do If You've Been Compromised

Microsoft has a number of tips about what you need to do after an account has been compromised. Among the recommendations:

  • Change your password
  • Ensure your Exchange account doesn't auto-forward

  • Inform people, as necessary, that your account was compromised

Those are all well and good.

But how about avoiding this mess in the first place? (There's a lot of awkwardness around sending that person you emailed one time that you should ignore the previous email.)

Avanan has a specialized account takeover engine. Avanan analyzes login event and end user activities across every cloud app. That includes:

  • Logins from new devices or locations
  • Suspicious mailbox configurations
  • Disabling of MFA
  • Multiple password resets
  • Suspicious internal emails
  • Changes in contact groupings

And now, we monitor suspicious MFA login failures. We take a look at logins that fail the MFA stage and see any suspect trends. It's just another way to monitor suspicious events. In a 24 hour period, we saw 30 of these and caught them. This is what it looks like: 

 

When we connect to a customer’s cloud app we capture month’s or even year’s worth of historical information to create a model of each user as well as a profile that is unique to each company. We then monitor over 100 event indicators within each SaaS and correlate them to identify a compromised account.

Only by monitoring every user, every event and every configuration across multiple cloud services can you identify the traits of a compromised account.

And when you combine that with our powerful anti-phishing technology that prevents suspicious. emails from reaching the inbox in the first place, you have true defense-in-depth protection.

Don't deal with the mess of tracking down a compromised account. Install Avanan and go about your business.