That’s the moment every organisation dreads. The email looked legitimate. The sender appeared familiar. The document request seemed routine. Then someone reports a problem. Perhaps an employee says they entered their credentials into a suspicious website. Perhaps a customer calls to verify an unexpected document-sharing invitation. Perhaps the IT team notices unusual authentication activity in Microsoft 365.
Regardless of how the incident is discovered, one reality remains: the attack is no longer a phishing attempt. It is now a security incident. At this stage, the issue is how quickly the organization can determine what happened and limit the damage.
The first few hours often determine whether the incident remains a manageable event or develops into a much larger compromise.
The first rule: do not panic
One of the most common mistakes during a phishing incident is acting before understanding the situation. Panic leads to poor decisions.
Employees begin deleting emails. Users attempt to clean up systems themselves. Managers make assumptions before evidence is collected. Critical information is often lost.
A successful response begins with a simple objective: preserve information while containing risk. Investigators need evidence to determine what happened, when it happened, and who may have been affected.
Incident response: the first 15 minutes
The initial response should focus on immediate containment. In the first 15 minutes, try to answer the following questions: who received the email? Who clicked the link? Who entered credentials? What systems were involved? Is the attack still active?
At this stage, organizations should begin preserving:
These artefacts may later prove critical to understanding the attack. If a user entered credentials into a suspicious website, the affected account should be treated as compromised until proven otherwise.
Immediate account protection
For potentially compromised accounts, organizations should immediately:
- Reset passwords
- Revoke active sessions
- Invalidate authentication tokens
- Review multi-factor authentication status
- Remove unauthorized devices
Many attackers move quickly after obtaining credentials. Delaying containment gives them additional opportunities to establish persistence within the environment.
It is important to remember that changing a password alone may not be sufficient. Modern cloud environments frequently issue authentication tokens that remain valid even after credentials are changed.
Revoking active sessions is therefore an essential step.
The first hour: establishing scope
Once immediate containment actions are underway, attention should shift toward understanding the scope of the incident. Investigators should determine:
This phase often reveals that the incident is larger than initially believed. In many business environments, attackers deliberately target trust relationships that extend beyond the organization itself. Customers, suppliers, contractors, and business partners may all become secondary victims.
Investigating Microsoft 365 activity
If Microsoft 365 accounts may have been compromised, several areas deserve immediate attention.
Authentication logs
Review:
- Successful sign-ins
- Failed sign-ins
- Geographic anomalies
- Unrecognized IP addresses
- New devices
- Unusual login times
Investigators should look for activity that differs from the user’s normal patterns.
Mailbox rules
Examine mailbox configurations for:
- Automatic forwarding
- Hidden rules
- Deleted-message rules
- External redirection
Attackers frequently create rules that allow them to monitor communications without attracting attention.
Consent grants
Review recently approved applications and delegated permissions. OAuth abuse has become increasingly common because it allows attackers to maintain access without continuously stealing passwords.
Unexpected application permissions should always be investigated.
The first 24 hours: determine exposure
Once immediate threats have been contained, organizations must begin answering more difficult questions. What information was exposed?
Potential areas of concern include:
- Email communications
- Customer information
- Contracts
- Financial documents
- Internal reports
- Shared file repositories
The objective is determining what was actually accessed. This becomes particularly important when considering legal obligations, regulatory requirements, and customer notifications.
Communicating internally
Communication during an incident requires balance. Employees need accurate information without unnecessary speculation. Organizations should:
- Inform affected users
- Provide reporting instructions
- Explain immediate containment measures
- Encourage reporting of suspicius activity
What should be avoided is blame. Employees who fear punishment often delay reporting. Delayed reporting frequently allows attackers additional time to operate undetected. The organization benefits far more from rapid reporting than from assigning fault.
Communicating externally
One of the most challenging aspects of phishing incidents involves external stakeholders. Questions may include:
- Were customers targeted?
- Were suppliers affected?
- Did attackers impersonate the organization?
- Is notification required?
Premature communication can create confusion. Delayed communication can damage trust. The best approach is typically evidence-driven communication based on verified facts. Organizations should avoid assumptions and focus on confirmed findings.
Transparency supported by evidence is generally more effective than speculation.
The first 72 hours: move from containment to investigation
By this stage, immediate threats should be under control. The focus shifts from response to investigation. Key questions include:
- How did the attackers select the target?
- What infrastructure was used?
- Were credentials successfully harvested?
- What data was accessed?
- Were external parties compromised?
- Has the attacker been observed in other campaigns?
These questions often require deeper analysis than most organizations can perform internally. This is where incident response specialists, digital investigators, and OSINT analysts frequently become involved.
The goal is to understand the threat.
The hidden cost of incomplete investigation
Many organizations stop investigating once passwords have been reset and systems appear normal. This approach creates risk. Without understanding the full scope of an incident, organizations may miss:
- Additional compromised accounts
- Long-term persistence mechanisms
- Third-party exposure
- Business email compromise attempts
- Future targeting opportunities
An incomplete investigation can leave organizations vulnerable to subsequent attacks from the same threat actor.
Effective investigations identify not only what happened, but also how similar incidents can be prevented in the future.
Where external investigation services add value
Containment is only one component of incident response. Organizations also benefit from understanding:
- How the attacker operated
- What information was used during reconnaissance
- Whether customers and vendors were targeted
- Whether additional exposure exists
- How the attack fits within broader threat activity
Cybersecurity investigation and OSINT services can help organizations reconstruct events, assess exposure, identify affected parties, and develop a clearer understanding of attacker methodology.
This broader perspective often reveals risks that technical remediation alone does not address.
Lessons learned before the next incident
Every phishing incident provides an opportunity to strengthen security posture. Organizations should use incidents to evaluate security awareness programs, reporting procedures, authentication controls, logging and monitoring capabilities, incident response plan, and third-party management.
The objective is becoming more resilient with each event. Organizations that learn from incidents recover faster, respond more effectively, and reduce future risk.
What's next?
Phishing attacks rarely begin with sophisticated hacking techniques. They begin with information. Attackers study organizations, employees, customers, and vendors long before the first email is sent.
In the next article, we will examine the reconnaissance phase of modern phishing campaigns and explore how attackers use publicly available information to identify targets, map relationships, and build highly convincing attacks.
Understanding what attackers know about your organization may be one of the most important steps toward preventing future incidents.