๐ฃ Phishing Response Quickstart
Time-boxed response path for phishing incidents from initial email analysis through credential remediation. Focuses on rapid IOC extraction, recipient-scope determination, email quarantine, and post-compromise activity analysis across M365 and Azure AD.
First 15 Minutes
0/4Extract all indicators of compromise from the reported phishing email, including sender address and envelope headers (SPF/DKIM/DMARC results), embedded URLs (defanged), attachment hashes (SHA-256), reply-to addresses, and any embedded tracking pixels. Analyze email headers to determine the true sending infrastructure and check URLs against threat-intelligence feeds. This initial IOC set drives every subsequent containment and scoping action.
Query Message Trace logs in the M365 admin portal using the sender address, subject line, and sending IP to identify every recipient who received the phishing email. Determine how many users received, opened, clicked, or replied to the message. Understanding the blast radius immediately is critical for prioritizing account lockdowns and gauging the severity of the incident for leadership communication.
Use Exchange Online admin or Microsoft Defender for Office 365 threat-explorer to hard-delete or quarantine all instances of the phishing email across all mailboxes. Perform a content search using unique identifiers (Message-ID, subject, sender) to ensure no copies remain in user mailboxes, shared mailboxes, or public folders. Speed is essential as every minute the email remains accessible increases the risk of additional users clicking.
For every user confirmed or suspected to have clicked the phishing link or opened the attachment, immediately revoke active sessions, force a password reset, and require MFA re-registration if the phishing targeted credentials. Check Azure AD sign-in logs for each impacted user to detect any post-click sign-ins from anomalous locations or devices that would indicate credential compromise has already occurred.
First 60 Minutes
0/4Export the M365 Unified Audit Log for all impacted users covering at least 48 hours before and after the phishing delivery timestamp. Filter for mailbox access, file downloads, SharePoint/OneDrive activity, and admin operations. The UAL provides the most comprehensive view of what a compromised account did post-credential-theft, including data access, email forwarding rule creation, and OAuth app consent.
Review Azure AD sign-in logs for all impacted accounts, paying close attention to sign-ins from unfamiliar IP addresses, geographies, device types, or user-agent strings. Look for token replay attacks, impossible-travel detections, and sign-ins that bypassed conditional-access policies. Azure AD sign-in data helps distinguish between a simple click with no compromise and an active account takeover that requires broader response.
Attackers who compromise mailboxes frequently create inbox rules to hide their activity, such as auto-deleting or redirecting emails containing keywords like "hack," "password reset," or "security." Use PowerShell (Get-InboxRule) or the mailbox audit log to enumerate all inbox rules created or modified after the phishing delivery timestamp. Malicious rules must be deleted immediately to stop ongoing data leakage and to restore visibility for the account owner.
Place a litigation hold or create an eDiscovery case to preserve the original phishing email, any replies, and the full mailbox state for impacted users. Export the original email in EML format with full internet headers for offline analysis and potential law-enforcement submission. Preserving email evidence before users or automated retention policies delete it is critical for attribution and potential legal proceedings.
First 4 Hours
0/4Sophisticated phishing campaigns use OAuth consent-phishing to trick users into granting persistent API access to malicious applications. Review Azure AD enterprise-application registrations and user-consented apps for any suspicious OAuth grants created after the phishing event. Revoke any unauthorized app permissions immediately, as OAuth tokens persist even after password resets and can provide ongoing access to mailboxes, files, and other resources.
Expand the investigation beyond the initially reported phishing email to identify related campaign waves. Search Message Trace for emails from the same sending infrastructure, similar subject-line patterns, or matching URL domains over the past 30 days. Correlate with threat-intelligence feeds to determine whether this is a targeted spear-phishing campaign or a broad commodity attack. A thorough campaign-scope analysis prevents additional waves from succeeding.
Perform a comprehensive credential reset for all confirmed and suspected compromised accounts. This includes password resets, MFA token revocation and re-enrollment, revocation of all active refresh tokens, and removal of any app passwords. For accounts with elevated privileges, review whether those privileges were abused and consider rotating service-account credentials and API keys that may have been accessible from the compromised account.
Use the IOCs and TTPs identified during the investigation to create or tune detection rules. Add sender domains and IPs to email-filtering block lists, create custom detection rules in Microsoft Defender for known malicious URLs and attachment hashes, and build SIEM correlation rules for the observed attack patterns. Document lessons learned including any gaps in email filtering, user-awareness training, or conditional-access policies that allowed the phishing to succeed.
DFIR Assist โ Phishing Response Quickstart Quickstart | Printed 3/1/2026