← Blog

Account takeover: what it looks like and how to take it back

Tenant Strike4 min read

When an attacker gets into an email or Microsoft 365 account, they try to stay quiet and dig in. Here are the signs of a hijacked account and the exact steps to lock them out and clean up.

When an attacker gets into a work email or Microsoft 365 account, they don't celebrate loudly. They go quiet. A taken-over account is most valuable when no one knows it's been taken over, so the attacker reads, watches, sets up ways to keep their access, and uses your identity against the people who trust you. Knowing the warning signs — and the exact steps to respond — turns a potential disaster into a contained incident.

The signs of a hijacked account

Account takeover often hides in plain sight. Watch for:

  • Sign-in alerts or logins from unfamiliar places — a different country, a strange device, or a time when the person wasn't working.
  • Email that's been read or moved that the owner didn't touch, or sent messages they didn't write.
  • A new forwarding rule quietly copying incoming mail to an outside address — a classic move to keep watching after the password changes.
  • Rules that auto-delete or hide certain emails, especially replies, so the owner doesn't notice the attacker's conversations.
  • Contacts reporting strange messages from you — a fake invoice, an odd link, a request for money or gift cards.
  • Password reset emails for other services the owner didn't request, as the attacker tries to expand.
  • Multi-factor authentication prompts the person didn't trigger, or a new authentication method added to the account.

Any one of these deserves an immediate look. A forwarding rule nobody set up, or contacts reporting weird messages, is close to a confirmation.

The first moves: lock them out

If you suspect a takeover, act in this order. Speed matters, because the attacker is doing the same math.

  1. Change the password immediately — and make it a strong, unique one the attacker can't already have from a breach.
  2. Sign the account out everywhere. Changing the password isn't enough on its own, because the attacker may hold an active session. Microsoft 365 lets an admin revoke all sessions, which kicks them out for real.
  3. Check and turn on multi-factor authentication, and remove any authentication method you don't recognize — attackers sometimes add their own so they can get back in.
  4. Hunt for forwarding rules and hidden rules, and delete any the owner didn't create. This is the step people forget, and it's how attackers keep reading mail long after the password changes.

Those four steps cut off the attacker's access. Now you clean up.

The cleanup: undo the damage and check the spread

  1. Review what they could have reached. What was in that mailbox or those files? Sensitive data, client information, payment details? This shapes who you may need to tell.
  2. Warn your contacts if needed. If the attacker sent messages from the account, let recipients know so they don't act on a fake invoice or a malicious link sent in your name.
  3. Check whether it spread. Did the attacker use this account to reset others, or reach shared systems? Reset anything that may have been exposed.
  4. Tell your bank and, if relevant, your insurer — immediately if any money moved or was requested.
  5. Look at the other accounts using that password. If the person reused it, every one of those accounts is now at risk; change them too.
  6. Write down what happened and when. A simple timeline helps your IT support, your insurer, and your own understanding of how to prevent the next one.

Prevent the repeat

A takeover is also a lesson. The same account got in once; make sure it can't the same way. Enforce multi-factor authentication so a stolen password isn't enough. Block the older sign-in methods that ignore it. And get in the habit of periodically checking for the quiet signs — especially forwarding rules — across your accounts, since attackers rely on those going unnoticed.

That last point is hard to do by hand across a whole team, and it's exactly the kind of thing that hides until it hurts. Tenant Strike reads your Microsoft 365 settings in read-only mode and surfaces these takeover signals and weak points in plain English — accounts where multi-factor authentication isn't truly enforced, the presence of risky forwarding rules, sign-in paths that bypass your protections. It's a five-minute check that helps you catch a quiet problem before it becomes a loud one, and close the gaps that let it happen.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.