Incident response
M365 Phishing
Incident Response
Internal phishing spreads fast. The priority is containment, identifying affected accounts, then hardening to prevent follow-on compromise.
Typical scenario
- A compromised account sends phishing internally
- Users click and credentials get harvested
- Attacker adds forwarding and rules to persist silently
- Scope widens before anyone notices
Response actions
- Containment: stop spread and reduce ongoing risk
- Identify affected users and suspicious access
- Mailbox cleanup and rule removal
- Tenant hardening to close the entry point
- Clear summary and documented next steps
Immediate response
What to do if your organisation is hit by a phishing attack
If a phishing email has been sent from or to accounts in your Microsoft 365 tenant, acting quickly can prevent credentials being used and limit how far the attack spreads.
- Identify the sending account and revoke its active sessions immediately.
- Check which users received or clicked the phishing message using Microsoft Defender.
- Review sign-in logs for any accounts that may have had credentials harvested.
- Remove malicious inbox rules and any forwarding added by the attacker.
- Reset passwords and enforce MFA on any accounts that interacted with the phishing email.
If multiple accounts are affected or the attacker has been active for more than a few hours, a full tenant investigation is likely required to confirm the scope and remove all persistence.