Incident response
Office 365
Sending Spam
If a mailbox is sending spam, the account is almost certainly compromised. Immediate containment limits damage and protects your sending reputation.
Typical causes
- Phished or leaked credentials
- Weak or missing MFA
- Legacy authentication protocols still enabled
- Malicious inbox rules hiding attacker activity
Remediation steps
- Contain the account and revoke active sessions
- Remove malicious rules and forwarding
- Assess scope across the tenant
- Harden authentication controls
- Verify sending reputation and blocklist status
Immediate response
What to do if your Office 365 mailbox is sending spam
If a mailbox in your organisation is sending spam or phishing emails, the account is almost certainly compromised. Speed of response directly limits the damage to your sending reputation and reduces risk to recipients.
- Block the affected account and revoke all active sessions immediately.
- Reset the password and verify MFA is enforced before restoring access.
- Check for malicious inbox rules that may be hiding attacker activity.
- Review Microsoft 365 message trace to understand the volume and recipients of sent spam.
- Check whether your domain has been added to any email blocklists.
If the account has been sending spam for more than a short period, Microsoft may have restricted outbound mail from your tenant. A broader review of authentication controls is usually required to prevent recurrence.