How Do I Know If My Business Has Been Hacked?

Most business compromises aren't discovered immediately. By the time something obviously wrong happens, an attacker may have had access for weeks. DM1 explains the warning signs and what to do if you suspect a breach.

Contact DM1 If You Suspect a Breach

Most Breaches Aren't Obvious

A compromised business account rarely announces itself. Attackers who gain access to a business email or Microsoft 365 account typically move carefully — reading emails, setting up forwarding rules, monitoring for banking credentials or client payment details — without triggering any obvious alert. By the time a business notices something wrong, the attacker may have been present for weeks or months. DM1 explains the warning signs and configures Microsoft 365 to alert you to suspicious activity before it becomes a major incident.

If you suspect your business has been compromised right now — call DM1 on (08) 6202 6012 immediately. Do not change passwords without guidance. Do not alert staff via email. DM1 will walk you through the correct response sequence.

Warning Signs Your Business May Have Been Compromised

These are the indicators DM1 looks for when assessing whether a business account has been accessed by an unauthorised party:

Unexpected Password Reset Emails

A password reset email you didn't request is one of the clearest signs that someone is attempting to access your account — or has already accessed it and is trying to lock you out.

Microsoft 365 can send alerts when your account is accessed from a new location or device. Logins from overseas, from cities you haven't visited, or at times you weren't working are red flags.

Emails You Didn't Send in Your Sent Items

Attackers who gain access to a business email account frequently use it to send phishing emails to your contacts or suppliers. Check your Sent Items — and check your Deleted Items — for emails you don't recognise.

Unexpected Email Forwarding Rules

One of the first things an attacker does after gaining access to a business email account is set up a forwarding rule to send copies of all incoming emails to an external address. These rules are hidden in your mailbox settings.

Clients or Suppliers Receiving Suspicious Emails From You

If a client or supplier contacts you to say they received a strange email from your address — especially one involving a payment request or link — your account may have been compromised.

Unexpected Multi-Factor Authentication Requests

If your phone starts receiving MFA approval requests that you didn't initiate, someone has your password and is trying to get past the second factor. Deny the request and call DM1 immediately.

Slow or Unusual Device Behaviour

A business laptop that has slowed significantly, shows unexpected network activity, or displays unfamiliar programs may have malware installed — particularly if it's been accessed outside the office on an unmanaged network.

Unexpected Changes to Your Microsoft 365 Settings

New users added to your tenant, admin permissions changed, new applications granted access, or mail flow rules created — changes in the Microsoft 365 Admin Centre that you didn't make.

Situations That Indicate Higher Risk

These circumstances increase the likelihood that a Perth business has been or will be targeted:

No multi-factor authentication enforced

If your staff access Microsoft 365 with a username and password only, a single compromised password is all an attacker needs. DM1 finds businesses without MFA enforcement at almost every new client onboarding.

A staff member recently clicked a suspicious link

Phishing links are the most common entry point for business email compromise. If a staff member has clicked a suspicious link in an email, their credentials may have been captured.

A staff member recently left on bad terms

Departing employees with active Microsoft 365 accounts represent a significant access risk. DM1 checks for accounts that should have been deactivated at departure.

You've received a payment redirection request

A supplier or client email asking you to update their bank details — especially if it arrived recently — may indicate their email account has been compromised, with attackers attempting to redirect your payments.

Your business was recently in the news

Businesses that receive media coverage — positive or negative — attract increased attention from opportunistic attackers scanning for exposed systems or conducting targeted phishing campaigns.

Your IT environment changed recently

A recent server migration, domain transfer, or change of IT provider can introduce configuration gaps that leave systems temporarily exposed. DM1 always reviews security posture after any major IT change.

What DM1 Does If You Suspect a Compromise

DM1 follows a structured incident response process for Microsoft 365 business email compromise — working quickly to contain the incident, assess the damage, and restore secure operations.

Contain the compromised account immediately

DM1 resets the affected account password and revokes all active sessions — signing out every device and browser session that currently has access. This stops an attacker in their tracks even if they have the current password.

Audit the Microsoft 365 sign-in log

DM1 reviews the Microsoft 365 sign-in log to determine when the account was first accessed by the attacker, from what location, and what they did during their access window.

Check for forwarding rules and inbox changes

DM1 reviews the compromised account's mailbox settings for unauthorised forwarding rules, inbox rules that move or delete emails, and any changes to reply-to addresses.

Check the Admin Centre for tenant-wide changes

DM1 reviews the Microsoft 365 Admin Centre audit log for any changes made during the access window — new users created, admin permissions granted, applications added, or mail flow rules created.

Assess what data was accessed or exfiltrated

DM1 reviews email access logs to identify which emails were read, forwarded or downloaded during the compromise period. This assessment is important for Privacy Act notification obligations.

Enforce MFA and review all accounts

After containing the incident, DM1 enforces MFA across all accounts in the tenant, reviews all other accounts for similar unauthorised access, and implements Conditional Access policies to prevent recurrence.

What DM1 Found When New Clients Came On Board

These are real situations discovered during DM1 new client onboarding. Business names are not used.

DISCOVERED DURING DM1 NEW CLIENT ONBOARDING

Professional Services Firm — Perth CBD

The problem: A new client engaged DM1 after noticing their Microsoft 365 subscription was being billed for two additional user accounts they didn't recognise. They assumed it was a Microsoft billing error.

What DM1 found: DM1's audit found the two unknown accounts had been created by an attacker who had gained access to a global admin account four months earlier. The attacker had created the accounts, granted them admin access, and used them to send phishing emails to the firm's client list — 400 recipients. The original compromised account had no MFA and had been accessed from an overseas IP.

The outcome: DM1 deleted the attacker accounts, revoked the compromised admin account, reset all passwords, enforced MFA across the tenant, and reviewed the Microsoft 365 audit log to determine the full scope of the access. The firm notified affected clients. DM1 produced a written incident summary for the firm's records.

DISCOVERED DURING DM1 NEW CLIENT ONBOARDING

Retail Business — Perth Northern Suburbs

The problem: A business owner received a call from their accountant asking about an unusual invoice that had been emailed from the business owner's address, requesting payment to a new bank account. The business owner had not sent the email.

What DM1 found: DM1 found the business owner's Microsoft 365 account had been compromised via a phishing email clicked three weeks earlier. The attacker had set up a forwarding rule to receive copies of all incoming emails, monitored the account for two weeks, then sent a spoofed invoice to the accountant at a moment when a legitimate payment was expected.

The outcome: DM1 contained the account, removed the forwarding rule, reviewed the audit log, and found the attacker had also accessed the account's contacts and calendar. MFA was enforced across all accounts. The fraudulent payment had not been made — the accountant had called to verify first. DM1 provided documentation for the business owner's police report.

Why Perth Businesses Use DM1 for Security Incident Response

✓ Direct Microsoft 365 Admin Centre Access

DM1 manages Microsoft 365 tenants as a CSP partner. In a security incident, DM1 can act immediately in the Admin Centre without waiting for Microsoft support queues.

✓ Structured Incident Response

DM1 follows a defined incident response sequence — contain, assess, remediate, document — rather than an ad hoc approach that risks missing attacker persistence mechanisms.

✓ Privacy Act Notification Guidance

If personal information was accessed during a breach, Perth businesses may have notification obligations under the Privacy Act 1988. DM1 helps you understand what was accessed and documents the incident for your records.

✓ Prevention After the Incident

After resolving an incident, DM1 implements the controls that prevent recurrence — MFA enforcement, Conditional Access, Defender for Business — so the same attack vector can't be used again.

✓ Available When It Matters

Security incidents don't happen at convenient times. DM1 is reachable on (08) 6202 6012 and responds to security incidents as a priority.

If You Suspect a Breach — Call DM1 Now

Don't change passwords without guidance. Don't alert staff via email. Call DM1 on (08) 6202 6012 for immediate incident response support for your Perth Microsoft 365 environment.

Contact DM1 (08) 6202 6012