If a mailbox, login, or user account looks compromised, we help Sydney businesses contain it promptly. Revoke sessions. Reset access. Remove the persistence mechanisms attackers leave behind. We'll document our response so you know what happened and what to do next.
This is focused containment for Microsoft-first businesses on Microsoft 365, not a generic cyber security discussion.
Most businesses think they've taken care of a compromised account once they reset the password. That is not the case.
If an attacker got in through a phishing link or a stolen credential, they've probably done more than read a few emails. Here's what we commonly find when we investigate:
Resetting a password doesn't kill active sessions. If the attacker authenticated before the reset and grabbed a refresh token, they can stay signed in for hours or days afterwards. You need to revoke sessions explicitly. That is a separate step.
Attackers create forwarding rules (with rule names like “.” so they're hard to pick on first glance) that copy inbound email to an external address. Or they set up rules that move specific messages—like password resets or security alerts—straight into a folder the user never checks, or delete them on arrival. These rules survive a password reset.
A compromised M365 account beyond email also gets: Teams messages, SharePoint files, and OneDrive documents, shared mailboxes. If they had admin privileges, even limited ones, the exposure widens significantly and requires further escalation.
If the compromise came through a phishing link clicked on a company laptop, the device itself might be affected. Cached credentials, browser sessions, saved passwords. A compromised device that stays on the network is an open door even after you've locked the account.
OAuth app consents, registered devices, MFA method changes. Attackers who know what they're doing will create secondary access paths so they can get back in even after you reset the password and revoke sessions.
We get on a phone call (15 minutes, usually less), confirm what you're seeing, and start working.
Disable or restrict the affected account. Revoke all active sessions and refresh tokens so the attacker loses access immediately. This takes care of existing logins.
Reset the password. Review registered MFA methods to make sure the attacker hasn't added their own authenticator or phone number. This is one of the most overlooked persistence mechanisms.
Check for inbox rules (remember the rule names are often hard to initially notice, e.g. “.”) forwarding mail externally or hiding messages. Check for mailbox delegates the user didn't set up. Review sent items and deleted items for signs of outbound phishing or BEC activity. If the attacker has been replying to financial conversations, the sooner you know, the better.
Review sign-in logs and risk signals from Entra ID. One of the very first M365 Admin tools to start with. Location is a great column to review first—where did the attacker sign in from? Also, what did they access? How did they authenticate? This tells us the timeline and scope. Sometimes it's a single phishing hit from one location. Sometimes it's a credential being used across multiple sessions from different countries.
Review OAuth app consents, connected applications, admin role assignments, and any changes to security settings.
If the compromised user has managed devices through Intune, we need to check compliance state and trigger actions (wipe, retire, lock) from the console. If they're on unmanaged devices, flagging what follow-up is needed becomes an action item and we can give you options.
You get a written summary of what happened, what we did, what we found, and what you should do next. A short document that covers the facts, the actions taken, and the gaps that still need attention.
This is for the moment when something looks wrong and you need someone who knows M365 to step in, check it out urgently, and contain it.
Someone fills in their password on a page that looked like a Microsoft login. We have to work out whether the attacker actually got in, and if they did, what they touched.
Clients or colleagues are telling you they received a strange message from someone on your team. The user's Sent Items might be clean (attackers sometimes delete the evidence), but the damage is already in motion.
An “impossible travel” alert. A risky sign-in. A user flagged as compromised in Entra Identity Protection. You can see the alert but you're not sure what to actually do about it.
The password was reset but something still feels off. Maybe the user is still getting password reset emails they didn't request, or their Teams shows activity they don't recognise. Something isn't right and you don't have the tools or knowledge to investigate it.
The incident needs writing up. What happened. What was done. What the risk is moving forward.
If the incident looks bigger than a containment job we can either help with the next phase, or refer you to a specialist forensics firm.
Fixed-fee for standard Microsoft 365 environments. Scope confirmed on the call.
For most incidents (a single compromised account, M365 Business Standard or Premium, straightforward containment), pricing is fixed and agreed on first before we start work. No scope creep.
If you think an attacker may still have access, start with a call. We'll confirm scope quickly and get to work.
Not one of ten platforms we dabble in. M365, Entra ID, Intune, Exchange Online. We know where attackers persist in these environments because we manage them for a living. Inbox rules, OAuth app consents, registered MFA methods, conditional access gaps. We know where to look because we see this stuff routinely.
When you call Internacious, you're talking to Dale Harper. Not a sales rep who'll “get the technical team involved.”
If you want a broader Microsoft 365 security conversation after sorting out the M365 breach, let us know.
Sydney businesses trust us with their most urgent security incidents.
Internacious – Microsoft 365 Account Compromise Lockdown
Related Services:
Ready to Talk About Your IT?Book a call