M365 Phishing Incident Response

Internal phishing can spread quickly. The priority is containment, identifying affected accounts, then hardening to prevent follow-on compromise.

Typical scenario

• A compromised account sends phishing internally
• Users click, credentials get harvested, more accounts get hit
• Attackers add forwarding/rules to stay hidden and persist

Response actions

• Containment: stop spread and reduce ongoing risk
• Identify affected users and suspicious access patterns
• Mailbox cleanup and basic tenant hardening
• Improve visibility: audit/alerting checks so you’re not blind next time
• Clear summary + next steps