Audit 2. Type the user's name in the Users box. Click the user in the drop-down. 3. Enter the start and end times accordingly. Click Search. The search will take 5 or more minutes to complete. Click Refresh until the search says "Completed". Click the search name. Review the logs or export to CSV for easier ltering and deleting of rows so you can scan through all the content to look for anything else the hacker did. 11. Unblock the account to allow sending emails Sometimes a malicious actor will get into one of your mailboxes and send a ton of spam. When Microsoft catches a mailbox sending spam they block the mailbox from sending emails. Blocking outbound emails on a mailbox is good for you and the world. It's good for the world because Microsoft can mitigate hackers from accessing more organizations and spreading their nonsense allover the place. It's good for you and your organization because it prevents damage to your company's reputation. Anyway, let's jump in and unblock the account. Go to Microsoft 365 Defender admin center > Review > Restricted entities. Click the user in the list. Click Unblock > Next > Submit > Yes. 12. Enable MFA If MFA isn't already enabled I would recommend it. It's a great second line of defense in case a user has their password stolen. There are several ways to enable MFA in a tenant / fora user in Microsoft 365. That's already covered in The many ways to implement multi-factor authentication (MFA) in Microsoft 365 . So I won't go into detail about it. But you really should consider enabling MFA.
13. Review email apps and change availability Next upon the list of hardening your environment, is disabling unused email apps. What happens a lot of times is the hacker will gain entry into the user's mailbox and then setup an IMAP or a POP connection to the mailbox to send out the spam/phishing emails to everyone else. Assuming your users are using the browser or a modern application, for example, Outlook then we can go ahead and disable those email apps. You can disable the email apps using a conditional access policy but I didn't want to write a book so I'm going to show you how to disable it fora user. I'll write another article on conditional access policies that will have that listed so stay tuned. Open Exchange admin center > Recipients >