Phishing Remediation: Purge, Reset, Revoke

EradicationP160 min
🎣 Phishing📧 Business Email Compromise🔑 Credential Theft
IR AnalystSwitch roles in the top navigation to see different perspectives.

Execute comprehensive phishing remediation: remove all remaining phishing emails, reset all compromised credentials, revoke attacker persistence mechanisms, and implement detection rules to prevent recurrence.

Actions

  1. 1.Execute final email purge sweep: re-run Content Search with expanded criteria (additional sender variations, subject variations, URL patterns) to catch any phishing emails that escaped the initial quarantine
  2. 2.Reset passwords and revoke all sessions for every confirmed-compromised account: ensure MFA re-enrollment from a trusted device, not just password change
  3. 3.Remove all attacker-created persistence: delete malicious inbox rules, revoke illicit OAuth consent grants, remove unauthorized MFA methods, and disable any rogue app registrations
  4. 4.Block all identified phishing infrastructure at every control point: email transport rules, proxy/firewall blocklist, DNS sinkhole, and EDR custom IOC block for associated file hashes
  5. 5.Implement detection rules for the specific phishing campaign TTPs: email detection rules for similar sender patterns, SIEM alerts for sign-ins from the attacker infrastructure, and EDR detections for the observed post-compromise behavior
  6. 6.Conduct a sweep for credential reuse: check if compromised passwords were used on other organizational systems (VPN, SSO apps, internal portals) and reset those as well

Queries

// PowerShell -- Final purge sweep with expanded criteria
New-ComplianceSearch -Name "PhishFinalSweep-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All `
  -ContentMatchQuery "(from:<SENDER1> OR from:<SENDER2>) AND (subject:\"<SUBJECT1>\" OR subject:\"<SUBJECT2>\") AND received>=<START_DATE>"
Start-ComplianceSearch -Identity "PhishFinalSweep-$(Get-Date -f yyyyMMdd)"
// PowerShell -- Remove attacker persistence from all compromised accounts
$compromised = @("<USER1>","<USER2>","<USER3>")
foreach ($user in $compromised) {
  # Remove suspicious inbox rules
  Get-InboxRule -Mailbox $user | Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.DeleteMessage } | Remove-InboxRule -Confirm:$false
  # Revoke OAuth grants
  Get-AzureADUserOAuth2PermissionGrant -ObjectId $user | Where-Object { $_.ConsentType -eq "Principal" } | Remove-AzureADOAuth2PermissionGrant
  # Force password reset and session revocation
  Set-AzureADUser -ObjectId $user -PasswordProfile @{ForceChangePasswordNextLogin=$true}
  Revoke-AzureADUserAllRefreshToken -ObjectId $user
  Write-Host "Remediated: $user"
}
// KQL -- Post-remediation monitoring rule
let blocked_infra = dynamic(["<C2_IP1>","<C2_IP2>","<PHISH_DOMAIN>"]);
let compromised_users = dynamic(["<USER1>","<USER2>"]);
union SigninLogs, DeviceNetworkEvents, OfficeActivity
| where TimeGenerated > ago(24h)
| where (IPAddress in (blocked_infra) or RemoteIP in (blocked_infra) or ClientIP in (blocked_infra))
    or (UserPrincipalName in (compromised_users) or UserId in (compromised_users))
| project TimeGenerated, Type, UserPrincipalName, IPAddress, OperationName

Notes

  • Remediation must be coordinated: reset all credentials and remove all persistence simultaneously to prevent the attacker from using one remaining foothold to re-establish others
  • After remediation, monitor compromised accounts closely for 30 days: any sign-in from new/unusual locations may indicate the attacker retained access through a mechanism that was missed
  • Consider requiring hardware security key MFA for previously compromised accounts to prevent credential-based re-compromise