Phishing Containment: Block, Quarantine, Purge
Execute phishing containment by blocking the sender, quarantining/purging delivered emails from all recipient mailboxes, and blocking malicious URLs and domains across security controls.
Actions
- 1
Block the sender domain/address at the email gateway: add to Proofpoint/Mimecast blocklist, or create an Exchange Online transport rule to reject messages from the sender
- 2
Purge the phishing email from all recipient mailboxes using M365 Compliance Content Search and Purge action: use SoftDelete to preserve in recoverable items, or HardDelete if no evidence hold is needed
- 3
Block the phishing URL(s) and domain(s) at the web proxy, firewall, and DNS: add to proxy blocklist, create firewall deny rules, and sinkhole the domain in DNS
- 4
If attachments were malicious, block the file hash across EDR fleet: add SHA256 to CrowdStrike custom IOC, Defender custom indicators, or SentinelOne blacklist
- 5
Reset credentials for all users who clicked the phishing URL or opened the malicious attachment: force password change and revoke all active sessions
- 6
Isolate endpoints of users who interacted with the phishing email for forensic investigation: use EDR network isolation to contain while preserving evidence
Queries
// PowerShell -- Purge phishing emails from all mailboxes # Step 1: Create and run content search New-ComplianceSearch -Name "PhishPurge-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All ` -ContentMatchQuery "from:<SENDER> AND subject:\"<SUBJECT>\" AND received>=<DATE>" Start-ComplianceSearch -Identity "PhishPurge-$(Get-Date -f yyyyMMdd)" # Step 2: After search completes, execute purge New-ComplianceSearchAction -SearchName "PhishPurge-$(Get-Date -f yyyyMMdd)" -Purge -PurgeType SoftDelete
// PowerShell -- Block sender via transport rule New-TransportRule -Name "Block Phishing Sender $(Get-Date -f yyyyMMdd)" ` -SenderAddressLocation HeaderOrEnvelope ` -From "<PHISHING_SENDER>" ` -DeleteMessage $true ` -StopRuleProcessing $true
// KQL -- Verify purge effectiveness: check for remaining copies EmailEvents | where SenderFromAddress == "<PHISHING_SENDER>" | where Subject has "<PHISH_SUBJECT>" | where Timestamp > ago(7d) | where DeliveryAction == "Delivered" | where LatestDeliveryAction != "Moved to junk" and LatestDeliveryAction != "Removed" | project Timestamp, RecipientEmailAddress, DeliveryAction, LatestDeliveryAction
index=email sourcetype=proofpoint:pps sender="<PHISHING_SENDER>" subject="<PHISH_SUBJECT>" action=delivered | stats count by recipient, action, disposition, msg_id | sort -count
index=wineventlog sourcetype=WinEventLog:Security EventCode=4624 Logon_Type=10 OR Logon_Type=3 Source_Network_Address="<ATTACKER_IP>" earliest=-7d | stats count by Account_Name, Source_Network_Address, ComputerName, Logon_Type | sort -count
Notes
Purge before block: if you block the sender first, the existing delivered emails remain in inboxes. Purge the delivered emails first, then block future delivery
SoftDelete preserves emails in Recoverable Items for legal holds; HardDelete permanently removes them
Credential resets for users who clicked must include session revocation -- password reset alone does not invalidate existing OAuth tokens