Here is hacking case and links I sent to customer. First link has all the steps to fix account.
Powershell script is below:
How to fix a compromised (hacked) Microsoft Office 365 account
Remediate affected account and improve your security posture
There are two options to be able to do this:
Option 1: Run RemediateBreachedAccount.ps1 PowerShell script against each account compromised
The ‘RemediateBreachedAccount.ps1‘ will remediate the attack to the accounts compromised and will remove any standing access to those accounts. It will perform the following actions:
- Reset password (this secures the account and kills active sessions).
- Remove mailbox delegates.
- Disable mail forwarding rules to external domains.
- Remove global mail forwarding property on mailbox.
- Enable Multi-Factor Authentication (MFA) on the user’s account.
- Set password complexity on the account to be high.
- Enable mailbox auditing.
- Produce Audit Log for the admin to review.
Multi-Factor Authentication for Office 365
Learn more about how to use DKIM with your custom domain in Office 365
Use DKIM to validate outbound email sent from your custom domain in Office 365
Manually hooking up DKIM signing in Office 365
Outbound DKIM signing in Office 365
Office 365 email anti-spam protection
Configure the connection filter policy (Block IP Addresses)
Spam email and Office 365 environment – connection and content filtering in EOP (Block Countries and Regions)
Advanced Spam Filtering Options
View e-mail message headers
Office 365 Message Header Analyzer (Analyze Email Header Information)
Search the audit log in the Office 365 Security & Compliance Center
Reports in the Office 365 Security & Compliance Center
Create activity alerts in the Office 365 Security & Compliance Center
|Special Thanks to: Bob Klinger|