If you suspect Microsoft 365 credentials, mailbox data, or tenant information has leaked, the first hours matter most.
This guide explains how to respond if Microsoft 365 is leaked, from immediate containment to investigation and hardening.
What a Microsoft 365 leak can involve
A Microsoft 365 leak is broader than a single stolen password.
It can include compromised Entra ID accounts, exposed Exchange Online mailboxes, shared OneDrive files, Teams messages, SharePoint documents, application secrets, or administrator access tokens.
Common leak scenarios include:
- Phishing that captures user credentials or multifactor authentication codes
- Password reuse after an unrelated third-party breach
- Misconfigured SharePoint or OneDrive sharing links
- Compromised privileged accounts in Microsoft Entra ID
- OAuth consent abuse by malicious applications
- Leaked service principal secrets, API keys, or certificates
Understanding the leak type helps you prioritize containment.
A single user account compromise is serious; an admin account or tenant-wide exposure is a broader incident.
What to do immediately
Act quickly and coordinate through a designated incident owner.
If you already have a security team or managed security provider, bring them in immediately and preserve evidence as you move.
1. Contain the exposure
- Disable the affected account or force sign-out across sessions.
- Reset the password and revoke refresh tokens.
- Remove suspicious inbox rules, forwarding rules, and delegated access.
- Disable compromised apps, app registrations, or service principals.
- Pause external sharing on sensitive SharePoint and OneDrive locations if needed.
2. Protect privileged access
If an administrator account may be involved, reset that account first and review role assignments in Microsoft Entra ID.
Privileged Identity Management, if deployed, should be checked for unexpected activations or permanent role changes.
3. Preserve logs and evidence
Before making too many changes, retain sign-in logs, audit logs, Unified Audit Log events, mailbox audit data, and alert history.
These records help determine whether the leak was limited to one user or expanded into a larger breach.
How to verify the scope of the leak
To respond effectively, you need to know what was accessed, altered, or exfiltrated.
Microsoft 365 environments generate useful telemetry across Entra ID, Exchange Online, SharePoint, OneDrive, Defender for Office 365, and Microsoft Defender for Cloud Apps.
Review identity activity
Check for impossible travel, unfamiliar IP addresses, device changes, legacy authentication usage, and repeated MFA prompts.
Also review whether the attacker added alternate authentication methods, such as a new phone number or authentication app.
Inspect mailbox and collaboration data
In Exchange Online, look for new inbox rules, hidden forwarding, deleted items, unusual search activity, and suspicious sharing.
In SharePoint and OneDrive, verify file access patterns, external guest access, and sharing links created outside normal workflow.
Search for persistence
Attackers often leave persistence behind.
Look for malicious OAuth grants, newly registered applications, added mailbox delegates, hidden admin roles, and changes to Conditional Access policies.
If the environment uses Defender for Cloud Apps, review risky app activity and abnormal data downloads.
What to communicate internally
Clear communication prevents confusion and slows secondary damage.
Keep the message factual, brief, and role-specific.
- Notify IT, security, and management with the incident scope and actions taken.
- Warn employees not to click suspicious links or approve unexpected MFA requests.
- Tell affected users to change passwords only when instructed, so responders can preserve evidence.
- Escalate to legal, privacy, and compliance teams if customer or employee data may be involved.
If regulated data is exposed, the response may need to include contractual notifications, breach assessments, and formal incident documentation.
Should you notify customers or regulators?
Notification decisions depend on what data was exposed, where the organization operates, and what laws or contracts apply.
In many cases, a Microsoft 365 leak can trigger obligations under GDPR, CCPA, HIPAA, GLBA, or industry-specific agreements.
Use these questions to guide the review:
- Was personal, financial, or health information accessed?
- Was the data encrypted or otherwise protected?
- Could the exposure create identity theft, fraud, or reputational harm?
- Were credentials, tokens, or administrator rights exposed?
Have legal counsel and privacy leadership validate all external notices before they are sent.
How to harden Microsoft 365 after a leak
Once the immediate incident is contained, strengthen the tenant so the same attack path is harder to repeat.
Focus on identity, email, data sharing, and monitoring.
Strengthen identity controls
- Require multifactor authentication for all users, especially administrators.
- Block legacy authentication protocols such as POP, IMAP, and basic auth where possible.
- Use Conditional Access to restrict sign-ins by device compliance, location, or risk.
- Implement least privilege and review role assignments regularly.
- Use Privileged Identity Management for just-in-time admin access.
Tighten email and collaboration security
- Review mail flow rules and disable unsafe auto-forwarding.
- Enable Microsoft Defender for Office 365 protections against phishing and malicious links.
- Audit SharePoint and OneDrive external sharing policies.
- Limit guest access in Microsoft Teams to approved business scenarios.
Improve detection and response
Centralize Microsoft 365 logs in a SIEM such as Microsoft Sentinel or another security platform.
Create alerts for new inbox rules, mass file downloads, impossible travel, suspicious consent grants, and admin role changes.
Regular tabletop exercises help teams respond faster during the next incident.
Common mistakes to avoid
During a Microsoft 365 leak, rushed actions can make investigation harder or allow attackers to stay hidden.
- Do not wipe the account without preserving logs first.
- Do not assume a password reset alone removes all access.
- Do not overlook service accounts and app credentials.
- Do not ignore OneDrive, SharePoint, and Teams data exposure.
- Do not delay privileged account review if an admin may be compromised.
How to prepare before a leak happens
The best time to decide how to respond if Microsoft 365 is leaked is before an incident occurs.
Preparation shortens downtime and reduces business impact.
- Maintain an incident response runbook for Microsoft 365 and Entra ID.
- Document tenant owners, break-glass accounts, and escalation contacts.
- Test backup and recovery for Exchange Online, SharePoint, and OneDrive data.
- Review authentication methods and remove weak or unused options.
- Train users to report suspicious login prompts, forwarding rules, and consent requests.
With a clear plan, the right telemetry, and disciplined containment steps, a Microsoft 365 leak can be investigated and controlled without losing visibility into what happened.