Steps To Take After Your Office 365 Account Is Compromised

In our recent article, Office 365 Attacks On The Rise, How To Reduce Your Risk , we talked about the recent trend toward compromised Office 365 attacks and how to make yourself less of a target.  But, what if you think your Office 365 account has been hacked?  Maybe you are seeing ‘rules’ in Outlook that you didn’t create.. or Sent Items you didn’t send.. or hearing from people that you are sending them Skype messages about needing money.  Here are the immediate steps to take, and some thoughts from ESG on a good long-term plan to prevent re-infection.

What do I do first if my Office 365 account is possibly hacked?

  1. Deep scan for malware on your laptop, desktop, and mobile devices.
  2. If possible, remove your e-mail account from any mobile devices and/or ask your Office 365 manager (like us ESG or a reseller or even Microsoft if you can reach them) to help you disable any remote access to your mail while you sort this issue out.
  3. Check for and remove unwanted Outlook add-ins, rules, and browser extensions.  This is critical to do BEFORE you start changing passwords because if the hacker can see your e-mail, they can get potentially intercept the new password reset requests you are making.
  4. Reset all affected passwords – your Office 365 account, your Apple/google password, your banking/credit card password, and anything that uses the same password as your email account.  Do not re-use passwords going forward!  Think about LastPass or similar.
  5. Enable multi-factor authentication on your Office 365 account and your banking/business logins if possible.  Watch for any suspect attempts.

What do I do after I get the first steps completed?

  1. If you have any reason to think the hacker was sending e-mails, instant messages, or texts as you, let your contacts know that your e-mail might be compromised and to CALL YOU instead of e-mailing if they get any odd requests or financial correspondence from you.
  2. Check with Verizon/AT&T or the local Apple Store about your phone’s security and health.
  3. Contact ESG about getting LastPass setup for yourself or your whole business.  It has benefits besides just safely keeping all your passwords.
  4. Ask us about ways to add enterprise-class anti-virus/anti-malware to all your systems including mobile devices.
  5. Watch your accounts for anything suspect.. and check your rules, Deleted Items, Junk Mail, and Sent Items very carefully for any signs of tampering or messages/rules you did not create.  Hackers sometimes wait days or even weeks before trying to regain access.
  6. Check your OneDrive and/or SharePoint storage for suspect files or any shared files/links.  Microsoft does a poor job of virus protection and will allow infected files to continue to be shared long after you have regained control of your Office 365 account.

Tips To Identify A Fake Alert Or Pop-up

We often get asked how to identify a real alert (from Windows, Apple, anti-virus, etc) from a fake alert.  While hackers are always advancing their trade to improve their success rates, the following general rules apply when presented with sudden “alert” or pop-up window.


  • Will include the vendor logo, vendor product name, and details on the problem.  For example, a Symantec anti-virus alert will show the Symantec logo and detail what scan found what specific issue.
  • Will discuss what HAS been done, not what YOU must do.


  • Will mix vendors.  For example, refer to the fake alert shown in this post which occurred for an ESG client recently.  This alert mixes Chrome (a Google product) with Microsoft.
  • Will call for YOU to immediately do something.  For example, often they will ask you to call a number or click a link.
  • Will sometimes use poor spelling or grammar.
  • Will attempt to increase your stress level by insisting action must be taken immediately.

So what do you do if you get a fake alert?  If possible, close the browser immediately.  Save everything you are working on, and reboot.  If you cannot see the normal browser window or the fake alert fills the whole screen, press and hold the power button on your system.  This will power down your system.. losing any unsaved work (but you have been saving your documents often, right?).  If when you reboot the alert returns, please CONTACT US at ESG immediately.

In some cases the fake alert will create a fake “close” button.. be wary of these.. if you cannot see your normal windows, do not click around at random but rather use the “hold the power button” method from above.  Also, in some cases an alert might be from ransomware.  If you were opening a file when you received the alert, use the “hold the power button” method from above, make a mental note of what file this occurred on, and contact us for help.

Figure 1 – Example of fake alert.. note the mixed vendors, call for action, urgent wording, and questionable grammar

Identity Theft Trends

It’s been almost a year since half of Americans had their sensitive personal information exposed due to the Equifax data breach.  

The latest stats in 2018 since that breach:

  • 22 million individuals have become victims of ID theft since the Equifax breach
  • ID theft is America’s fastest-growing crime, affecting more people than car theft and home burglaries combined
  • Thieves will wait up to 10 years (or more) to use stolen data, since your personal informaton never changes

You are nine times more likely to become a victim of ID theft if your information has been exposed in a data breach

While any “free” protection from Equifax might be expiring soon, ESG recommends two things:

  1. Do not subscribe to a service with Equifax and do not allow them to renew the protection.  These are the folks that could not even secure their own data, do not pay them to try to protect yours!
  2. Seek out strong identity theft protection and support.  Talk with LifeLock or the company we at ESG recommend, Zander ID Theft Solutions.

Office 365 Attacks On The Rise, How To Reduce Your Risk

Hackers are increasingly targeting Microsoft Office 365 accounts.   And, unfortunately, once your account is compromised it can be difficult to detect and even more difficult to prevent reinfection.  We at ESG have pulled together the following information to help your business understand the risk and respond if you suspect your Office 365 account has been compromised.

Why is Office 365 attacked so often and why are hackers successful?

Office 365 represents a rich target for hackers because once they get your Office 365 login info, they can pretend to be you in e-mail, take over your Skype, send fake messages in SharePoint/Team, and so on.  Often the goal of the hackers is to use your account to trick others into sending money or approving a financial transaction.  As for why Office 365 attacks are often successful, there are a number of factors:

  • Users often re-use passwords from other accounts for their e-mail and thereby allow hackers to guess at their Office 365 login.
  • Microsoft was slow and clumsy in implementing multi-factor authentication, and it still does not play nicely with some apps/tools.  As a result, many users/businesses do not opt to turn it on.
  • Office 365 is, at its core, still Hotmail/Live/ so under the surface all those links to consumer-grade tools leave big gaps for malicious apps, ads, plug-ins, and cache-miners.
  • The wide array of Office apps and places you login with your credentials (from Outlook to Skype to your cell phone apps for mail) means hackers have a number of places to dig for your login info.  A compromised iPhone, for example, can result in a hacker obtaining your Office 365 login if you have your phone checking your e-mail.

How do I prevent my Office 365 account from being compromised?

As with minimizing all security risks, your best approach involves a mix of technology and vigilance.  We recommend:

  • Only login to your Office 365 tools (e-mail, webmail, Skype, etc) from devices you trust (and that have enterprise-grade anti-virus/anti-malware software running on them, including your mobile devices).
  • Enable multi-factor (aka ‘two factor’) authentication such as requiring a text to your phone before new logins are allowed.
  • Use multiple layers of security on all your devices including non-Microsoft and non-free anti-virus/anti-malware (ESG recommends Symantec) and additional spam/malware mail filtering (ESG recommends Barracuda).
  • Do not re-use passwords for multiple apps/sites.  Think about investing in a company password-keeper solution (ESG recommends LastPass).
  • Watch for odd behavior including new rules in your Outlook, e-mails going right to Deleted Items, e-mails you did not send appearing in your Sent Items, or people saying you sent them an e-mail when you did not.

If you have any concerns about implementing the protections above, please contact us at ESG to discuss and create an action plan!

Oh no, my Office 365 account might be compromised, what do I do?

Check out our next article “Steps To Take After Your Office 365 Account Is Compromised” for our tips on stopping the damage and securing your account.


Approach for Meltdown and Spectre Vulnerabilities

Understanding the Risk

In the news recently are two new system risks.. Meltdown and Spectre. These impact devices across the IT spectrum.. from Windows to Macs to Linux/Unix.  Even devices such as iPads and other tablets can be at risk.  The two risks exist at the chip/chipset level of the devices and leave them vulnerable to cyber attackers trying to access and exploit sensitive information.

  • Meltdown affects computer central processing units (CPUs) and a demo code has been released to exploit the vulnerability to access credentials, and other sensitive information from system memory.
  • Spectre can allow the hacker to access sensitive information from applications and may be more difficult for hackers to exploit.

For a deeper dive into the technical aspects of these risks, you can check out this link with a 3 minute video on concerns.

Managing the Risk

Despite the hype, fixes for Meltdown are already available and additional fixes are in the works.  Fixes for Spectre may require hardware changes but mitigating protections are available.  Erickson Solutions Group continues to make our normal recommendation for all types of threats such as these: protection in layers.  Specifically, the layers to consider are at the OS level (patching), the anti-virus level (have real anti-virus not free or bundled), the browser level (keep your browser up-to-date), and the user level (practice safe browsing/e-mailing).

Protection in Layers

The following patches and protection layers are recommended by ESG.  Contact us for help with any/all of these items:

  • Windows: Run Windows Updates to apply any/all available Windows updates to address the problem as soon as possible (at the time of this writing the key patch is KB4056892).
  • Browser: Updates are needed and have been shared by most major browser providers (Chrome, Firefox, Microsoft Edge).  Your browser will typically update itself but you can help by rebooting your system frequently to give it a chance.   If your browser does not prompt you for an update or prompts you about an update error, we can assist.
  • Anti-virus/Anti-malware: We recommend Symantec for all systems.  Check that your Symantec has a happy green checkmark.  If you are on another platform such as Kaspesky or Windows Defender, make sure those are updating and set to fully protect to the best of their capabilities.  If you are still using an anti-virus that is “free”, “ad-based”, or came with your DELL/HP/etc.. this is the wake-up call to get real protection on your system ASAP.
  • User Training: If your user base is a little unclear about safe browsing or e-mailing practices, we can come on-site for a lunch-and-learn and/or to create specific handouts for your team.  At a minimum, we recommend discussing the risks with your team and advising them to contact ESG if they notice any unusual behavior on their systems.
  • BIOS: System manufacturers (aka OEMs) will be releasing BIOS updates from a hardware perspective – once available, these should be applied immediately.  These may require our help.

We are available at 913-538-5576 to answer any questions you and your team might have about implementing these patches/processes, updating devices when new releases are available, and resolving security issues should they occur!