Most phishing attacks do not become serious security incidents because someone clicked a link. They become serious incidents because warning signs were missed before, during, and after the click. In many cases, organizations possess enough information to identify suspicious activity early. The challenge is recognizing which indicators matter and knowing where to look.
Consider the scenario from our previous articles. A spoofed OneDrive document-sharing invitation is delivered to employees, customers, and vendors. The message appears legitimate, references a real business relationship, and successfully convinces recipients to visit a malicious website.
At this stage, many organizations view the event as an email problem. In reality, it is already an identity security problem. The sooner an organization recognizes this transition, the more effectively it can limit damage.
Detection starts before anyone clicks
Many phishing attacks contain subtle indicators that something is wrong. Unfortunately, users often focus on the message content rather than the technical details surrounding it.
Security teams should encourage employees to examine several factors whenever an unexpected document-sharing request arrives.
- Unexpected content
The most overlooked indicator is often the simplest. Ask:
- Sender verification
Modern phishing attacks often use display name spoofing. A message may appear to originate from a trusted customer or business partner while actually being sent from an unrelated domain.
For example:
Displayed Name: John Smith
Actual Sender Address: johnsmith-review@documentaccessportal.com
Many users never inspect the underlying sender address. Organizations should encourage employees to verify both the display name and the actual email address before interacting with unexpected requests.
Understanding email authentication
Many businesses deploy email security controls without fully understanding their value. Three technologies play a critical role in detecting impersonation attempts:
- SPF: Sender Policy Framework (SPF) identifies which servers are authorized to send email on behalf of a domain. If an email claiming to originate from a company's domain is sent from an unauthorized server, SPF validation may fail.
- DKIM: DomainKeys Identified Mail (DKIM) uses cryptographic signatures to verify that an email has not been altered during transmission. A missing or invalid DKIM signature may indicate suspicious activity.
- DMARC: Domain-based Message Authentication, Reporting and Conformance (DMARC) combines SPF and DKIM validation and allows organizations to define how failed messages should be handled. Without properly configured DMARC policies, attackers can often impersonate trusted domains with greater success.
Many organizations assume these protections are fully implemented when, in reality, they remain partially configured or operating in monitoring mode.
Looking beyond the email
Suppose an employee clicks the link. The investigation should not stop there. One of the most common mistakes organizations make is focusing exclusively on the phishing email while ignoring subsequent activity.
At this point, investigators should begin asking new questions:
- Was a login attempt recorded?
- Was authentication successful?
- Were new devices observed?
- Were access tokens issued?
- Was multi-factor authentication challenged?
- Did unusual activity occur afterwards?
These indicators often reveal whether a phishing attempt progressed into account compromise.
Signs of compromised Microsoft 365 accounts
In Microsoft 365 environments, several indicators frequently appear after credentials have been harvested.
- Unusual sign-In activity
Investigators should review authentication logs for:
- New geographic locations
- Impossible travel scenarios
- Unrecognized devices
- Unusual IP addresses
- Sign-ins occurring outside normal business hours
A user who normally authenticates from Toronto should not suddenly appear to be logging in from another continent thirty minutes later. While VPN usage can create false positives, unusual login patterns should never be ignored.
- New mailbox rules
Attackers often create hidden forwarding rules after compromising an account. These rules may:
- Forward messages externally
- Move emails into hidden folders
- Delete security notifications
- Conceal evidence of ongoing activity
Forwarding rules are frequently overlooked during investigations despite being a common persistence mechanism.
Not all phishing attacks steal passwords. Increasingly, attackers seek authorization through OAuth consent requests. Instead of obtaining credentials directly, they convince users to grant permissions to malicious applications. These permissions may allow attackers to:
- Read emails
- Access files
- Maintain long-term access
- Bypass password changes
Because the account itself may not appear compromised, these attacks can remain undetected for extended periods.
Monitoring OneDrive and sharePoint activity
Document-sharing attacks naturally lead investigators toward OneDrive and SharePoint logs. Indicators worth examining include:
Even if credentials were not successfully harvested, attackers may attempt to leverage existing access to gather information. Understanding what was accessed is often as important as understanding how access was obtained.
The first hours matter
The first sixty minutes following a reported phishing incident are often the most important. Organizations should immediately determine:
- Who received the email?
- Who clicked the link?
- Who entered credentials?
- What systems were involved?
- Whether authentication occurred
- Whether any additional recipients received similar messages
Rapid scoping frequently determines whether an organization experiences a minor security event or a major incident. Delays provide attackers with additional opportunities to establish persistence and move laterally.
Building an internal reporting culture
One of the strongest detection mechanisms available to any organization is its employees. Unfortunately, many users hesitate to report suspicious messages because they fear embarrassment or criticism.
Organizations should encourage reporting without assigning blame. Employees who report suspicious activity quickly provide investigators with valuable time. A user who says, “I think I clicked something suspicious,” may save the organization from a far more serious compromise.
Creating a culture where reporting is rewarded rather than punished significantly improves detection capabilities.
What investigators should be looking for
When phishing activity is identified, investigators should move beyond the question of whether someone clicked.
The more important questions include:
- Was access obtained?
- What data was exposed?
- Which business relationships were targeted?
- Did the attack spread to vendors or customers?
- Is the infrastructure linked to other campaigns?
- Are additional compromised accounts present?
Answering these questions requires a combination of technical analysis, log review, threat intelligence, and investigative techniques. Organizations that focus solely on remediation often miss opportunities to understand the broader scope of an attack.
Where specialized investigation adds value
Many businesses possess the technical tools required to identify phishing incidents. Fewer organizations possess the resources needed to fully investigate them.
Understanding how an attacker selected targets, what infrastructure was used, whether external parties were affected, and whether the incident is connected to larger campaigns often requires additional expertise.
This is where cybersecurity investigation, OSINT analysis, and digital intelligence gathering become particularly valuable. Effective investigations do more than confirm what happened. They help organizations understand exposure, assess risk, and strengthen future defences.
What's next?
Early detection is rarely about identifying a single indicator. It is about recognizing a pattern. A suspicious email. An unusual login. A new forwarding rule. An unexpected file download. Individually, these events may seem insignificant. Together, they often reveal an attack in progress.
In the next article, we will examine what organizations should do when detection comes too late and employees have already clicked the link. We will walk through the critical first hours of incident response and discuss how organizations can contain damage before a phishing attack evolves into a full-scale compromise.