Skip to content
Security
Securitybreach

Securitybreach

Email Security breach

For any account compromised or security breach must do the following:

  • disable account in local AD and Azure AD if hybrid
  • identify the device or server affected and remove from any network it is attached to
  • start any AV scans with tools available

Then you will need to check through logs to find out the logins of the account and any other servers that could be affected.

Follow the following guide: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide

O365 Mail security

If a malicious email is sent and you need to clear from any or all mailboxes in O365 exchange you can use the compliance tool

The compliance tool uses the exchangeonline powershell module

Connect to the compliance tool with the following cmdlet - it connects in the same way as with exchange online:

1

Connect-IPPSSession -UserPrincipalName

Then you can create a compliance search to identify the emails you need eg:

1

New-ComplianceSearch -Name "" -ContentMatchQuery "" -ExchangeLocation All

The exchange location can be specified to be the domain or a security group or a specific mailbox, there are options.

You will then need to start the compliance search:

1

Start-ComplianceSearch

You can check the progress by using the command:

1

Get-ComplianceSearch

To see the details of the search you can use the following (output to file for easier reading):

1

Get-ComplianceSearch -Identity  | fl | out-file C:\temp\searchresults.txt

To complete the deletion of the emails use the following command:

1

New-ComplianceSearchAction -SearchName "" -Purge -PurgeType HardDelete
Microsoftmfa