T The Triage ManualTechnical Guides for IT Emergencies
P2 · Cyber Incident Response

Phishing Response and Account Compromise Containment — Microsoft 365 / Entra ID

Users report phishing emails or unusual sign-in activity indicating potential credential theft, session token hijack (AiTM/EvilProxy), or OAuth consent abuse in Microsoft 365. Containment requires immediate password reset, refresh token revocation, MFA re-registration, removal of attacker-created inbox rules and forwarding, and revocation of illicit OAuth grants. Purge the phishing message tenant-wide via Threat Explorer, then investigate blast radius through unified audit logs and Entra ID sign-in logs. This entry supplements bec-mailbox-compromise with broader phishing triage covering initial report through remediation.

Indicators

Likely causes

Diagnostic steps

  1. Obtain the original suspicious message with full headers. Do not click links. Have the user submit via the Report Phishing button in Outlook, or export as .eml/.msg and attach to the incident ticket.
    Preserves evidence and provides sender IP, SPF/DKIM/DMARC results, and routing path for analysis.
  2. In Microsoft 365 Defender > Threat Explorer, search for all recipients of the message by subject, sender, or URL. Filter last 7–30 days.
    Determines campaign blast radius and identifies other affected users needing remediation.
  3. Review Entra ID sign-in logs for the suspect user (last 7 days). Filter on successful interactive and non-interactive sign-ins. Look for unusual IP, ASN, country, client app, or 'Session ID' reuse from multiple IPs (token replay indicator).
    Confirms whether stolen credentials or session tokens were actually used by an attacker.
  4. Inspect mailbox inbox rules for anomalies: Get-InboxRule -Mailbox user@contoso.com | Format-List Name,Enabled,Description,ForwardTo,RedirectTo,DeleteMessage,MoveToFolder,SubjectContainsWords
    Attackers commonly create hidden rules with single-character names or empty names to hide replies from the victim and exfiltrate mail.
  5. Check mailbox-level forwarding: Get-Mailbox user@contoso.com | Select ForwardingAddress,ForwardingSmtpAddress,DeliverToMailboxAndForward
    Detects SMTP forwarding used to exfiltrate mail to external addresses independent of inbox rules.
  6. Search unified audit log for the user over last 30 days: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds user@contoso.com -ResultSize 5000 | Export-Csv audit.csv
    Reveals MailItemsAccessed, Send, New-InboxRule, Set-Mailbox, Add-MailboxPermission, and Consent to application events tied to compromise.
  7. In Entra ID > Enterprise applications, filter for apps consented in the last 30 days. Review permissions (particularly Mail.*, offline_access, Files.*, User.Read.All) and publisher verification status.
    Identifies OAuth consent phishing that grants persistent access surviving password resets.
  8. Check the user's registered authentication methods in Entra ID > Users > Authentication methods for unexpected phone numbers or Authenticator app registrations.
    Attackers often add their own MFA method to establish persistence and defeat subsequent password resets.

Resolution path

Prevention

Tools

References

phishingaccount-compromisemicrosoft-365exchange-onlineentra-idazure-adincident-responsemfaoauth-consentaitmtoken-theftemail-security