JeykiTech
Back to all guides
Microsoft 365Incident responseBusiness email compromise

Microsoft 365 Mailbox Hacked? Small Business Response Steps

A practical containment and recovery checklist for small businesses dealing with a compromised Microsoft 365 mailbox, fake invoices, or suspicious email forwarding.

Published 2026-06-11 · Updated 2026-06-11

Contain the account before the attacker keeps using it

If a Microsoft 365 mailbox is compromised, the first priority is to stop active abuse. Reset the password, revoke sessions, confirm MFA status, and block obvious persistence paths before spending time on root-cause analysis.

Force sign-out and review recent sign-ins

Check whether MFA was missing, bypassed, or fatigue-prompted

Preserve logs and message evidence before cleanup removes context

Look for the business-email-compromise patterns

Small-business mailbox compromises often involve quiet persistence rather than loud destruction. Review inbox rules, forwarding, deleted items, delegated access, and whether the attacker impersonated staff to request payments or share malicious files.

Search for hidden forwarding and reply-to manipulation

Check whether clients received fake invoices or payment updates

Review whether other shared mailboxes or admins were touched

Recovery is not finished until you fix the path in

A mailbox reset is only the start. You still need to understand how the attacker got access, which accounts trust that mailbox, and what hardening changes prevent a repeat. For small businesses, this usually means turning a one-mailbox incident into a broader identity and email-control review.

Frequently asked questions

What if the attacker set up forwarding but there are no obvious sent emails?

That is common. Attackers often watch silently, create rules, or send from deleted items and other paths that do not leave a normal sent-mail trail. Rule review and sign-in analysis matter more than the sent folder alone.

Should we tell clients immediately?

Tell them when you know enough to be useful. If fake invoices, payment changes, or malicious messages were sent, notify affected clients quickly with clear instructions on what to ignore and what to verify.

Can a small business handle this without outside help?

Sometimes, if the issue is caught early and you have strong Microsoft 365 admin experience. If the mailbox touched money movement, client trust, or more than one account, specialist incident handling is usually worth it.