Phishing Containment: Block, Quarantine, Purge

ContainmentP145 min

🎣 Phishing 📧 Business Email Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

Execute phishing containment by blocking the sender, quarantining/purging delivered emails from all recipient mailboxes, and blocking malicious URLs and domains across security controls.

Actions

1.Block the sender domain/address at the email gateway: add to Proofpoint/Mimecast blocklist, or create an Exchange Online transport rule to reject messages from the sender
2.Purge the phishing email from all recipient mailboxes using M365 Compliance Content Search and Purge action: use SoftDelete to preserve in recoverable items, or HardDelete if no evidence hold is needed
3.Block the phishing URL(s) and domain(s) at the web proxy, firewall, and DNS: add to proxy blocklist, create firewall deny rules, and sinkhole the domain in DNS
4.If attachments were malicious, block the file hash across EDR fleet: add SHA256 to CrowdStrike custom IOC, Defender custom indicators, or SentinelOne blacklist
5.Reset credentials for all users who clicked the phishing URL or opened the malicious attachment: force password change and revoke all active sessions
6.Isolate endpoints of users who interacted with the phishing email for forensic investigation: use EDR network isolation to contain while preserving evidence

Queries

// PowerShell -- Purge phishing emails from all mailboxes
# Step 1: Create and run content search
New-ComplianceSearch -Name "PhishPurge-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All `
  -ContentMatchQuery "from:<SENDER> AND subject:\"<SUBJECT>\" AND received>=<DATE>"
Start-ComplianceSearch -Identity "PhishPurge-$(Get-Date -f yyyyMMdd)"
# Step 2: After search completes, execute purge
New-ComplianceSearchAction -SearchName "PhishPurge-$(Get-Date -f yyyyMMdd)" -Purge -PurgeType SoftDelete

// PowerShell -- Block sender via transport rule
New-TransportRule -Name "Block Phishing Sender $(Get-Date -f yyyyMMdd)" `
  -SenderAddressLocation HeaderOrEnvelope `
  -From "<PHISHING_SENDER>" `
  -DeleteMessage $true `
  -StopRuleProcessing $true

// KQL -- Verify purge effectiveness: check for remaining copies
EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>"
| where Subject has "<PHISH_SUBJECT>"
| where Timestamp > ago(7d)
| where DeliveryAction == "Delivered"
| where LatestDeliveryAction != "Moved to junk" and LatestDeliveryAction != "Removed"
| project Timestamp, RecipientEmailAddress, DeliveryAction, LatestDeliveryAction

Notes

Purge before block: if you block the sender first, the existing delivered emails remain in inboxes. Purge the delivered emails first, then block future delivery
SoftDelete preserves emails in Recoverable Items for legal holds; HardDelete permanently removes them
Credential resets for users who clicked must include session revocation -- password reset alone does not invalidate existing OAuth tokens

Where to Go Next

Quarantine complete, collect forensic artifacts

Collect phishing artifacts

Phishing Artifact Collection

Users clicked -- lock down accounts

Lock down compromised accounts

Account Lockdown

Malware delivered -- isolate endpoints

Isolate affected endpoints

Network Isolation

Related Artifacts

Proxy / Web Filter Logs

Web proxy appliance logs (Zscaler, Squid, Blue Coat/Symantec, McAfee Web Gateway)

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical