TEXAS A&M UNIVERSITY
Compromised Mail Users in Microsoft 365
Audience: Security Operations and Email Administrators.
Purpose: Investigate and remediate potentially compromised Microsoft 365 mail accounts.
Overview
When Microsoft detects potentially compromised mail user behavior, automated investigations are created in the Security Portal. This guide covers the investigation and resolution process.
Investigation Process
Step 1: Access Investigations
- Navigate to the Security Portal Investigations
- Use the blue link to open the investigation in a new window
Step 2: Examine Evidence
Review the investigation details and evidence to determine if this is:
- False Positive — Normal user behavior incorrectly flagged
- True Positive — Actual compromise requiring remediation
Step 3: Resolve False Positives
If determined to be a false positive:
- Resolve the alert and mark as False Positive
- Go to the Pending Actions tab
- Reject the recommended action of resetting the password
Action Note
Rejecting the password reset appears to do nothing, but should be completed for audit completeness.
Step 4: Remove Restrictions
- Visit the Restricted Users page
- Locate the affected user
- Remove the restrictions
Step 5: Resolve Alerts
Navigate to the Alerts page and resolve:
- Suspicious email activity alerts
- User restricted from sending email alerts
Unblocking Users
If a user was erroneously blocked from sending mail:
- Navigate to Restricted Users
- Select the user
- Click Unblock
- Confirm the action
Quick Reference
| Task | Location |
|---|---|
| View Investigations | security.microsoft.com/airinvestigation |
| View Restricted Users | security.microsoft.com/restrictedusers |
| View Alerts | protection.office.com/viewalerts |