Phishing Remediation: Purge, Reset, Revoke
Execute comprehensive phishing remediation: remove all remaining phishing emails, reset all compromised credentials, revoke attacker persistence mechanisms, and implement detection rules to prevent recurrence.
Actions
- 1
Execute final email purge sweep: re-run Content Search with expanded criteria (additional sender variations, subject variations, URL patterns) to catch any phishing emails that escaped the initial quarantine
- 2
Reset passwords and revoke all sessions for every confirmed-compromised account: ensure MFA re-enrollment from a trusted device, not just password change
- 3
Remove all attacker-created persistence: delete malicious inbox rules, revoke illicit OAuth consent grants, remove unauthorized MFA methods, and disable any rogue app registrations
- 4
Block all identified phishing infrastructure at every control point: email transport rules, proxy/firewall blocklist, DNS sinkhole, and EDR custom IOC block for associated file hashes
- 5
Implement detection rules for the specific phishing campaign TTPs: email detection rules for similar sender patterns, SIEM alerts for sign-ins from the attacker infrastructure, and EDR detections for the observed post-compromise behavior
- 6
Conduct a sweep for credential reuse: check if compromised passwords were used on other organizational systems (VPN, SSO apps, internal portals) and reset those as well
Queries
// PowerShell -- Final purge sweep with expanded criteria New-ComplianceSearch -Name "PhishFinalSweep-$(Get-Date -f yyyyMMdd)" -ExchangeLocation All ` -ContentMatchQuery "(from:<SENDER1> OR from:<SENDER2>) AND (subject:\"<SUBJECT1>\" OR subject:\"<SUBJECT2>\") AND received>=<START_DATE>" Start-ComplianceSearch -Identity "PhishFinalSweep-$(Get-Date -f yyyyMMdd)"
// PowerShell -- Remove attacker persistence from all compromised accounts
$compromised = @("<USER1>","<USER2>","<USER3>")
foreach ($user in $compromised) {
# Remove suspicious inbox rules
Get-InboxRule -Mailbox $user | Where-Object { $_.ForwardTo -or $_.RedirectTo -or $_.DeleteMessage } | Remove-InboxRule -Confirm:$false
# Revoke OAuth grants
Get-AzureADUserOAuth2PermissionGrant -ObjectId $user | Where-Object { $_.ConsentType -eq "Principal" } | Remove-AzureADOAuth2PermissionGrant
# Force password reset and session revocation
Set-AzureADUser -ObjectId $user -PasswordProfile @{ForceChangePasswordNextLogin=$true}
Revoke-AzureADUserAllRefreshToken -ObjectId $user
Write-Host "Remediated: $user"
}index=email sourcetype=proofpoint:pps (sender="<SENDER1>" OR sender="<SENDER2>") (subject="<SUBJECT1>" OR subject="<SUBJECT2>") | stats count by recipient, action, disposition | search action!="blocked" | sort -count // Verify phishing email purge completeness
index=o365 sourcetype=o365:management:activity UserId IN ("<USER1>","<USER2>","<USER3>") (Operation="Set-InboxRule" OR Operation="New-InboxRule" OR Operation="Add OAuth2PermissionGrant") earliest=-7d | stats count by UserId, Operation, ClientIP | sort -count // Post-remediation persistence check// KQL -- Post-remediation monitoring rule
let blocked_infra = dynamic(["<C2_IP1>","<C2_IP2>","<PHISH_DOMAIN>"]);
let compromised_users = dynamic(["<USER1>","<USER2>"]);
union SigninLogs, DeviceNetworkEvents, OfficeActivity
| where TimeGenerated > ago(24h)
| where (IPAddress in (blocked_infra) or RemoteIP in (blocked_infra) or ClientIP in (blocked_infra))
or (UserPrincipalName in (compromised_users) or UserId in (compromised_users))
| project TimeGenerated, Type, UserPrincipalName, IPAddress, OperationNameNotes
Remediation must be coordinated: reset all credentials and remove all persistence simultaneously to prevent the attacker from using one remaining foothold to re-establish others
After remediation, monitor compromised accounts closely for 30 days: any sign-in from new/unusual locations may indicate the attacker retained access through a mechanism that was missed
Consider requiring hardware security key MFA for previously compromised accounts to prevent credential-based re-compromise