What to Do If Your Account Is Compromised

Overview

If you think someone else has gotten into your work account, every minute counts. This guide walks you through the immediate steps to lock the attacker out and recover safely. Read it now, before something happens, so you know what to do.

Before You Begin

• Stay calm. The fastest path back is a clear sequence of steps, not panic.
• Have your phone nearby for verification calls and MFA prompts.
• If you cannot reach support right away, start with Step 1 on your own. The most important action is to change your password.

Steps

1. Contact support immediately. Call or submit a ticket at support.bostonmit.com. Tell us your name, the affected account, and what you noticed. Mark the ticket urgent.
2. Change your password right now. Go to https://aka.ms/sspr or follow Reset Your Microsoft 365 Password. Choose a brand-new passphrase you have never used.
3. Sign out of every device. In your browser, go to https://mysignins.microsoft.com, click Sessions, and choose Sign out everywhere. This kicks the attacker off any device where they may still be signed in.
4. Check your inbox rules. Attackers often create hidden rules to forward your mail or auto-delete messages from IT. In Outlook on the web, click Settings → Mail → Rules and delete anything you did not create.
5. Check forwarding settings. Still in Outlook settings, click Forwarding and turn it off if it is on.
6. Review recent sent mail. Look for messages you did not send. Note what was sent and to whom; you will share this with support.
7. Tell anyone who got a suspicious message from you. A quick Teams message or call is enough. Tell them not to open it.
8. Watch your MFA prompts for the next 24 hours. If you get a sign-in approval request you did not start, deny it and tell support.
9. Run a virus scan on your computer. Open Windows Security → Virus & threat protection → Quick scan on Windows, or your installed endpoint protection on Mac.
10. Wait for support to confirm cleanup. We will review sign-in logs, look for persistence, and confirm your MFA is healthy before closing the ticket.

Troubleshooting

• If you cannot sign in at all: the attacker may have changed your password. Call support directly. We can reset it after verifying your identity.
• If MFA approval prompts keep coming: deny every one and contact support. We will block the account temporarily.
• If you see Microsoft 365 license activity (new apps, payments): flag this in the ticket. Some attackers buy licenses on your tenant.
• If a coworker forwarded you something suspicious from your account: that confirms compromise. Move fast.

Related Articles

• Reset Your Microsoft 365 Password
• Report a Suspicious Email
• Set Up Multi-Factor Authentication with Microsoft Authenticator
• Report a Lost or Stolen Laptop or Phone

Need More Help?

Submit a ticket at support.bostonmit.com or email support@bostonmit.com.