Who this page is for
IT administrators, helpdesk, SOC analysts, incident owners and any employee taking a suspicion seriously.
What does account compromise mean?
External access to an account, usually through phishing, weak passwords, missing MFA or stolen tokens.
Typical causes
Phishing with harvested password.
Weak or reused passwords.
Token theft after a valid login, where MFA no longer applies.
Missing or weak MFA.
Malware on the endpoint.
Indicators
Unusual sign-ins from atypical countries, devices or times.
New mail rules, especially forwarding or auto-mark-read.
Newly registered devices or MFA methods.
Unusual mail activity, such as bulk sends or replies in old threads.
Unexpected consent to third-party apps (consent phishing).
First actions
Revoke sessions so that stolen tokens become invalid.
Change password and review MFA methods.
Check mail rules and delegated access.
Review logs, ideally in SIEM or audit logs.
Review third-party apps and remove unnecessary permissions.
Escalate to incident response if there are signs of broader activity.
Checklist
- Revoke sessions
- Change password, review MFA methods
- Check mail rules and delegations
- Review audit logs for unusual sign-ins
- Review app permissions
- Assess and possibly isolate the endpoint
- Escalate on signs of broader compromise
Frequently asked questions
+Is a password reset enough?
No. Without revoking sessions, stolen tokens can keep working.
+When do I escalate to incident response?
As soon as there are signs of more than a single account, data exfiltration or further activity, see [Incident response](/en/incident-response).
Related topics
MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.
Identities are a primary target today. Clean handling of accounts, roles and permissions reduces the risk of many incidents significantly.
Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.
Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.
Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.
A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.