Try this first
- 1First: the suspect user's Microsoft 365 account. Blocks main access to mail and SharePoint.
- 2Second: shared accounts and service accounts that user knew about (website admin, hosting panel, banking).
- 3Third: anything tied to that M365 account via SSO. OAuth tools are revoked when you revoke sessions, but tools with separate logins (HubSpot, Trello, customer portals) are not.
- 4Fourth: that user's personal passwords if they reused them. Ask honestly: 'did you also use this password somewhere personal?'.
- 5Document what you changed and when. Not all verbal. A breach incident can echo for months.
When to bring us in
If you suspect the attacker is already inside another account: not just rotate passwords. You also need to revoke sessions and investigate. We help with the order of operations.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.