We recently had a client that contacted us with a support request that said that they were not receiving any email into their Office 365 mailbox. This was a tiny company with only one mailbox shared amongst 4 users.
We did the standard checks to see whether the domain had expired and whether the DNS records were set correctly and everything checked out as OK. I sent them a test email and didn't receive a bounce back, yet they didn't receive the email. Wow, this is weird I thought.
Checked their instance of Outlook to see if there were any Rules or Filters applied to the inbox and there was nothing applied to incoming mail. I even logged onto their admin portal to see if there were any Rules applied and once again no rules were applied.
I decided to log onto their OWA account to see if there was any filters or rule applied there and finally, BAM! The offending rule was discovered. A hacker had applied a filter to all incoming mail to mark as read and move automatically to the deleted items folder.
How does this happen I hear you ask? It happens when a user clicks one of those spam emails to update their Office 365 passwords. They provide their logon credentials and then the hackers go about doing what they've done in this case, being a nuisance. What is more concerning is what other things they had access to with regards to sensitive company emails etc.
So how do you fix it?
As outlined earlier, log onto the affected users OWA web interface and follow the instructions below:
So what do you do next to prevent this happening in the future? I'd recommend that the following steps are taken to firstly stop the current access and secondly prevent future issues.
Firstly, CHANGE THE USERS PASSWORD to something complex and greater than 10 characters and also include special characters like !@# etc.
Secondly, implement 2FA. What is 2FA? 2FA is two factor authentication and involves applying 2FA to the users profile. This forces the user to apply a Mobile Phone number to their O365 profile and when they log on a code is sent to their phone as part of the logon process.
This prevents hackers logging onto your account even if they have your username and password because they don't receive the code that is sent to your phone. It's a simple fix that increases the security to your Office 365 account immeasurably.
Hope you've found this useful...