Steps at a glance
Step1: Set up multi-factor authentication in the O365AdminCenter
Step2: Instructions for your users once MFA is set up
Step2a: Set up 2-step verification for Office 365
- Use Microsoft Authenticator with Office 365 (Note: easy & recommended way from microsoft)
- Download and install Microsoft Authenticator app to mobile
- Set up the Microsoft Authenticator app
Step2b: Create an app password for Office 365
We strongly recommend you take the following actions to help rectify the impacted accounts and secure your environment:
- Validate correct information for multi-factor-authentication and self-service password reset here: http://aka.ms/MFAValid
- Enable multi-factor authentication for all users. Setup instructions can be seen here: http://aka.ms/MFAuth
- For every impacted account, automatically perform the following remediation steps by running the script located here: http://aka.ms/remediate
– Reset password (this secures the account and kills active sessions).
– Remove mailbox delegates.
– Disable mail forwarding rules to external domains.
– Remove global mail forwarding property on mailbox.
– Enable MFA on the user’s account.
– Set password complexity on the account to be high.
– Enable mailbox auditing.
– Produce Audit Log for the admin to review.
- Investigate your Office 365 tenant and other IT infrastructure, including a review of all tenant settings, user accounts, and the per-user configuration settings for possible modification. Check for indicators of methods of persistence, as well as indicators an intruder may have leveraged an initial foothold to get VPN credentials, or access to other organizational resources.
- As part of your investigation, consider whether you should or must notify government authorities, including law enforcement.
In addition, we recommend you:
– Read and implement our guidance on addressing unusual activity here: http://aka.ms/fixaccount
– Enable the audit pipeline to help you to analyze the activity on your tenancy here: http://aka.ms/improvesecurity. Once complete, your audit store will start populating with all activity logs and you’ll be able to leverage the ‘Security and Compliance Center’s Search and Investigation’ feature seen here: http://aka.ms/sccsearch
– Use the following script to enable mailbox auditing for all your accounts here: http://aka.ms/mailboxaudit1
– Review delegate permissions and mail forwarding rules for all your mailboxes. The following PowerShell script can help to do this here: http://aka.ms/delegateforwardrules
Should you have any additional questions regarding this issue, please email Microsoft’s Office 365 Message Center Response Team at firstname.lastname@example.org and reference this Message Center Post ID.