Client Portal

What to Do If Your Microsoft 365 or Endpoints Are Hit by a Cyberattack

Your Microsoft 365 account has been breached. Here is what to do within the next 24 hours to limit the damage, restore your data, and stop it from happening again.

Picture of <span>written by</span> Jamie E.
written by Jamie E.
What to Do If Your Microsoft 365 or Endpoints Are Hit by a Cyberattack

It is 8am on a typical Monday morning. You cannot access your files. Suspicious emails are being sent from your company account that no one in your team actually wrote. Your Microsoft 365 account, or worse, your entire endpoint environment, has been compromised. It is a nightmare situation. The actions you take in the next few hours will determine whether your business recovers quickly or suffers lasting consequences. This step by step guide is designed for UK-based small businesses and SMEs using Microsoft 365. It will help you respond swiftly, secure your systems, and protect your organisation from further damage.

 

Table of Contents

Your next step is important and can determine the future of your business, whether it recovers swiftly or suffers lasting damage.

 

Step 1: Act Swiftly and immediately (Contain the Threat)

  1. Time is very crucial in cases like this, the faster you act, the better your chances of limiting damages.
  2. Disconnect infected devices from the internet and internet network and disable Wi-Fi, unplug ethernet cables or isolate the devices remotely if you have tools like Microsoft defender for endpoint.
  3. Revoke Access for all suspected compromised Microsoft 365 accounts. Reset passwords and enable multi- factor authentication if not already enabled.
  4. If using Microsoft Intune XDR, use the remote wiper or quarantine feature for affected devices and systems.

 

 

Step 2: Identify the Source of the Attack

  1. Make sure you understand how the hackers got in, it is important to stop the damage and preventing future breaches.
  2. Use Microsoft 365 Defender or Security Centre to trace suspicious activity and look for unusual login locations, mailbox forwarding rules, or privilege escalation, which can be extremely useful to finding how they got in.
  3. Check audit logs in the Microsoft Purview compliance portal or Security & Compliance Centre to track account activity and file access.
  4. Look for phishing emails or malicious attachments that could have triggered the breach, be incredibly careful because the phishing email can be used again to gain access to the new devices or system you’re using to find their access point.

 

 

Step 3: Notify Your IT or Security Team

  1. If you have an internal IT department or external cybersecurity provider, now’s the time to escalate the issue. Provide them with:
  2. Timeline of events
  3. Known affected users or endpoints.
  4. Any screenshots or alerts received in the past month or further in needed, some cyber attackers are planned months before the attack.
  5. If your business has no internal team, contact Microsoft Support or your managed service provider urgently. If you’re directly managing Microsoft services, you can initiate Microsoft’s own Incident Response plan, Microsoft 365 has a dedicated incident response team that can help and support in high-severity situations like ransomware, business email compromise, or nation-state threats.

 

 

Step 4: Remove the Threat and Clean Up

Once the source of the attack has been found:

  1. After you’ve investigation you’re more likely to find malicious files, fake user accounts created by hackers and suspicious apps or browser extensions installed without permission.
  2. Re-image compromised machines or restore them from a known good snapshot, it’s safer to completely wipe and reinstall the system from a clean, trusted setup.
  3. Update all endpoints, software, and firmware to patch any vulnerabilities, most cyber attackers exploit outdated software or systems this prevents them from gaining access or hacking your system or network the same way again, update firmware and doing this closes security gaps and helps prevent a repeated attack.
  4. Re-enable affected accounts only after confirming they’re secure, but don’t rush to turn them back on if some user accounts were compromised, first confirm they no suspicious activity linked to them, change passwords and enable multi factor authentication if already not enabled, only then safely restore access for users

 

 

Step 5: Recover and Restore

With the attack contained and cleaned up:

  1. Restore data from secure backups ideally stored offline or in immutable cloud storage, you now recover your important files, emails, and systems from backup copies and these backups should be Offline, stored on a disconnected device or drive, so attackers couldn’t touch, stored in a way that can’t be changed in any way or deleted, even by admins or malware.
  2. To be safe before moving forward, make sure the attacker hasn’t left anything behind, malicious code could still be hiding in the system, waiting to reactivate and some hackers can use what is known as a backdoor, a backdoor is a secret method the attacker installed to get back in later, so to make sure run full scans using endpoint protection tools like Microsoft Defender for Endpoint, and manually check logs or suspicious files with your IT or security team. You want to be 100% confident that the threat is truly gone.
  3. Devices that were infected or disconnected should not rejoin your company network until they’re fully cleaned and scanned. If you reconnect too soon, a hidden threat could spread again. Think of it like quarantine after a pandemic no re-entry until you know everything’s healthy or else it could spread again.
  4. If you don’t have reliable backups, contact a data recovery specialist before trying to rebuild systems.

 

 

Step 6: Strengthen Your Security Posture

  1. Once the threat has been removed and systems are restored, this is your chance to better your security and make it stronger, so it doesn’t happen again.
  2. Enforce the MFA for all users in the company, this blocks attackers even if they steal a password, because they won’t have access to the second factor. MFA is one of the most effective ways to stop unauthorised access.
  3. Deploy Microsoft Defender for Office 365 and Endpoint, Microsoft Defender for Endpoint also lets you monitor, detect, and respond to suspicious activity across all devices in real-time.
  4. Review and apply Conditional Access policies to limit access based on device, location, or risk. This stops attackers from easily getting in even if they somehow get a username and password.
  5. Reduce admin privileges and implement least privilege access.
  6. Provide cybersecurity awareness training to all staff especially about phishing.

 

 

Step 7: Document and Learn

  1. Record every step taken during the incident what was affected, how you responded, and what you learned.
  2. Conduct a post-incident review with your team or IT partner.
  3. Update or create a formal Incident Response Plan based on what went well and what didn’t.

 

 

Why You Need an Incident Response Plan

Many small and medium-sized businesses believe they’re “too small” to be targeted but that’s not true. Cybercriminals often target smaller organisations because they expect weaker defences. Having an incident response plan makes sure your team knows what to do in a crisis. You can act quickly and reduce downtime, and you recover faster and with less long-term damage.

 

Final Thoughts

Cyberattacks can hit any business, at any time. If your Microsoft 365 or endpoints are compromised, your first actions matter most. By following these steps contain, investigate, recover, and strengthen you’ll be better equipped to face the storm and come out stronger.

 

Services

Resources

Local Offices

+44 1476 383712
Grantham, United Kingdom
+44 113 524 0695
Leeds, United Kingdom
+44 161 521 8121
Manchester, United Kingdom

About

Contact Us

Call: 01268 206363
Hurricane Way, Woodland Place, Wickford. SS11 8YB
Customer Review
★★★★★
5.0 Rating on Google
Facebook-f Linkedin