Credential Theft

Theft of authentication credentials through brute force, credential stuffing, keylogging, LSASS dumping, or password database compromise.

Triage

4 procedures

Bound the Investigation Timeframe

Identify Patient Zero (First Compromised System)

Phishing Email Triage and Indicator Extraction

Validate the Initial Access Vector

Containment

3 procedures

Credential and Account Lockdown

Revoke Cloud Sessions and Tokens

Phishing Containment: Block, Quarantine, Purge

Sponsored

Preservation

3 procedures

Volatile Memory Capture

Log Preservation and Snapshot

Document Chain of Custody for All Collected Evidence

Collection

6 procedures

Phishing Artifact Collection: Headers, URLs, Attachments

EDR Telemetry Collection

M365 Unified Audit Log Collection

Azure AD Sign-In and Audit Log Collection

Identify Alternative Evidence When Primary Logs Are Missing

Coordinate Log Collection from Third-Party Vendors

Analysis

3 procedures

Lateral Movement Analysis and Mapping

Analyze Evidence of Credential Dumping Techniques

Phishing Campaign Scope and Credential Exposure

Eradication

7 procedures

Remove Malware, Backdoors, and Persistence Mechanisms

Mass Credential Reset and Session Invalidation

Comprehensive Persistence Mechanism Sweep

Eradication Verification Checklist

Phishing Remediation: Purge, Reset, Revoke

Patch Exploited Vulnerabilities to Prevent Re-Compromise

Post-Incident Configuration Hardening

Recovery

2 procedures

Rebuild Compromised Systems from Known-Good Images

Phased Service Restoration with Enhanced Monitoring

Post-Incident Review

3 procedures

Create New Detection Rules Based on Incident Findings

Generate Comprehensive Incident Report

Conduct Lessons Learned Review Session