Microsoft Exchange hacked? What now?

If your Microsoft Exchange account has been hacked, you’re probably panicking and wondering what to do now. Here is a list of steps to take. It’s not exhaustive but should get you at least back up and running with a secure account.

Why was your account hacked?

Hackers want people’s usernames and passwords which may then allow them to access their online accounts. They’ll often do this using a technique known as ‘phishing’ – they’ll send an email purporting to come from a legitimate source but linking to fraudulent websites that are designed to steal personal data or information such as credit card numbers, passwords, account data, or other information.

They hack your account to send their phishing links to your contacts as they know an email sent from a known contact is much more likely to be trusted by the recipient, and an email from a previous contact is much more likely to get through a spam filter. In other words, they want your contacts username and passwords and will pretend to be you to get them.

Start by changing your password

If you can still log into your account, change your password. If you can’t, can you do a password reset? If this isn’t setup, does your Exchange administrator have access to do this for you? If not, contact Microsoft Exchange support directly as soon as possible to secure your account

Check your Mail Flow rules

A hacker wants your account to remain accessible to them for as long as possible so it’s not always very likely that they’ll change your password themselves – you’ll know something’s wrong straight away if this happens. Rather they’ll make sure that any reply emails sent to you by confused contacts won’t arrive in your inbox meaning you’ll not see them. The only other place you’re likely to check if you stop receiving emails is your junk folder but it’s more likely that the hacker will have created a rule to instead send all received emails straight to your deleted folder. Therefore, check your mail flow rules to make sure emails aren’t being redirected somewhere else.

Check your sent items

I don’t necessarily mean your ‘sent items folder’ (although a look here too won’t go amiss). Rather check which emails have been sent using the ‘message trace’ search function in the ‘mail flow’ section of the Exchange admin. This will show you which emails were sent from your account and to whom they were sent. When you’re back up and running, you may decide to send an email to anyone who received an email from your account sent by the hacker – this is where you’ll find out who that was.

Check your auto-responders

Does everything here look how it should be and how you left it?

Check your RSS feeds

One of the ways hackers will access important emails is by creating an RSS feed. To check this from Outlook, go to the file option (top-left), select ‘account settings’, then select the RSS tab in the following window.

Check app permissions via your online account

Anything else?

Once you’re back up and running and your Microsoft Exchange is secure, consider enabling 2-factor-authentication and of course it’s a good idea to make sure you’ve got good quality anti-virus software running.