Address compromised user accounts with automated investigation and response

Applies to

Microsoft Defender for Office 365 Plan 2 includes powerful automated investigation and response (AIR) capabilities. Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft continues to improve security capabilities. Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). Read this article to learn more about the compromised user security playbook. And see the blog post Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365 for additional details.

Automated investigation for a compromised user.

The compromised user security playbook enables your organization's security team to:

  • Speed up detection of compromised user accounts;
  • Limit the scope of a breach when an account is compromised; and
  • Respond to compromised users more effectively and efficiently.

Compromised user alerts

When a user account is compromised, atypical or anomalous behaviors occur. For example, phishing and spam messages might be sent internally from a trusted user account. Defender for Office 365 can detect such anomalies in email patterns and collaboration activity within Office 365. When this happens, alerts are triggered, and the threat mitigation process begins.

For example, here's an alert that was triggered because of suspicious email sending:

Alert triggered because of suspicious email sending.

And here's an example of an alert that was triggered when a sending limit was reached for a user:

Alert triggered by sending limit reached.

Investigate and respond to a compromised user

When a user account is compromised, alerts are triggered. And in some cases, that user account is blocked and prevented from sending any further email messages until the issue is resolved by your organization's security operations team. In other cases, an automated investigation begins which can result in recommended actions that your security team should take.


You must have appropriate permissions to perform the following tasks. See Required permissions to use AIR capabilities.

View and investigate restricted users

You have a few options for navigating to a list of restricted users. For example, in the Microsoft 365 Defender portal, you can go to Email & collaboration > Review > Restricted Users. The following procedure describes navigation using the Alerts dashboard, which is a good way to see various kinds of alerts that might have been triggered.

  1. Open the Microsoft 365 Defender portal and go to Incidents & alerts > Alerts. Or, to go directly to the Alerts page, use

  2. On the Alerts page, filter the results by time period and the policy named User restricted from sending email.

    The Alerts page in the Microsoft 365 Defender portal filtered for restricted users.

  3. If you select the entry by clicking on the name, a User restricted from sending email page opens with additional details for you to review. Next to the Manage alert button, you can click More options icon. More options and then select View restricted user details to go to the Restricted users page, where you can release the restricted user.

    The User restricted from sending email page from the Alerts center.

View details about automated investigations

When an automated investigation has begun, you can see its details and results in the Security & Compliance Center. Go to Threat management > Investigations, and then select an investigation to view its details.

To learn more, see View details of an investigation.

Keep the following points in mind

  • Stay on top of your alerts. As you know, the longer a compromise goes undetected, the larger the potential for widespread impact and cost to your organization, customers, and partners. Early detection and timely response are critical to mitigate threats, and especially when a user's account is compromised.

  • Automation assists, but does not replace, your security operations team. Automated investigation and response capabilities can detect a compromised user early on, but your security operations team will likely need to engage and do some investigation and remediation. Need some help with this? See Review and approve actions.

  • Don't rely on a suspicious login alert as your only indicator. When a user account is compromised, it might or might not trigger a suspicious login alert. Sometimes it's the series of activities that occur after an account is compromised that triggers an alert. Want to know more about alerts? See Alert policies.

Next steps