Before you remove your delegated permissions you should check for mail forwarding. The steps are below.
8. Review mail forwardingAnother thing hackers like to do when they gain access to your mailbox is setup mail forwarding. In short, they may use your account to send phishing attacks to other organizations and request information from other people. So we'll need to disable any mail forwarding the hacker has setup.
Open Outlook OWA > Click your
pro le icon in the top right. Click
Open another mailbox.
2. Type the user's
display name in the box provided. Click the
user that
appears in thedropdown. Click
Open.
3. Click the
settings gear in the top right >
View all Outlook settings.
4. Click
Forwarding >
uncheck Enable forwarding. Click
Save.
Don't remove those permissions just yet. If you did nd an inbox rule or a forwarding rule we'll need to undo the damage!
9. Move any emails that were deleted/moved to anew folderIn short, you'll need to move any emails that were deleted or moved to another folder back to the original location. Typically, the original location is the inbox but I'd recommend checking with the user to see if anything else moved or is out of place.
10. Review audit logs to see if the malicious actor did anythingelseTypically, performing everything above is a good measure to undo the damage and access to the malicious user but you never know. Take a quick gander at the audit logs to verify. Especially, if
the user account that was compromised was an admin account. The hacker may have dropped in another account and assigned an admin role to it. Go to the
Microsoft 365 Defender admin center >
Share with your friends: 
