Phishing Response and Account Compromise Containment — Microsoft 365 / Entra ID
Users report phishing emails or unusual sign-in activity indicating potential credential theft, session token hijack (AiTM/EvilProxy), or OAuth consent abuse in Microsoft 365. Containment requires immediate password reset, refresh token revocation, MFA re-registration, removal of attacker-created inbox rules and forwarding, and revocation of illicit OAuth grants. Purge the phishing message tenant-wide via Threat Explorer, then investigate blast radius through unified audit logs and Entra ID sign-in logs. This entry supplements bec-mailbox-compromise with broader phishing triage covering initial report through remediation.
Indicators
- User reports suspicious email with unexpected links, attachments, QR codes, or urgent credential/payment requests
- Entra ID sign-in logs show impossible travel, unfamiliar ASN, anonymous IP (Tor/VPN), or unusual client app (e.g. 'PowerShell', 'Unknown')
- Inbox rules present that auto-forward, auto-delete, or move mail to obscure folders (RSS Subscriptions, Conversation History, Notes)
- Outbound spam or internal phishing sent from a legitimate user mailbox
- MFA prompts appearing to the user that they did not initiate (MFA fatigue / push bombing)
- Mailbox audit log shows MailItemsAccessed or Send events from unexpected IPs, or Add-MailboxPermission events
- Multiple users report the same message — indicates broader campaign
- New enterprise application consent granted by a non-admin user with Mail.Read, Mail.ReadWrite, or offline_access scopes
Likely causes
- Credential theft via AiTM proxy (EvilProxy, Evilginx) capturing username, password, and session cookie in real time — bypasses standard MFA
- Password spray or brute force against an account without MFA or with weak legacy auth still enabled
- OAuth consent phishing — user grants a malicious enterprise app persistent mailbox/Graph access, surviving password reset
- Infostealer malware on endpoint (RedLine, Lumma, StealC) exfiltrating browser session cookies
- Legitimate compromised third-party sender used as trusted relay for internal phishing
- EOP / MDO bypass via URL cloaking, HTML smuggling, QR code phishing (quishing), or attachment inside password-protected archive
Diagnostic steps
-
Obtain the original suspicious message with full headers. Do not click links. Have the user submit via the Report Phishing button in Outlook, or export as .eml/.msg and attach to the incident ticket.Preserves evidence and provides sender IP, SPF/DKIM/DMARC results, and routing path for analysis.
-
In Microsoft 365 Defender > Threat Explorer, search for all recipients of the message by subject, sender, or URL. Filter last 7–30 days.Determines campaign blast radius and identifies other affected users needing remediation.
-
Review Entra ID sign-in logs for the suspect user (last 7 days). Filter on successful interactive and non-interactive sign-ins. Look for unusual IP, ASN, country, client app, or 'Session ID' reuse from multiple IPs (token replay indicator).Confirms whether stolen credentials or session tokens were actually used by an attacker.
-
Inspect mailbox inbox rules for anomalies: Get-InboxRule -Mailbox user@contoso.com | Format-List Name,Enabled,Description,ForwardTo,RedirectTo,DeleteMessage,MoveToFolder,SubjectContainsWordsAttackers commonly create hidden rules with single-character names or empty names to hide replies from the victim and exfiltrate mail.
-
Check mailbox-level forwarding: Get-Mailbox user@contoso.com | Select ForwardingAddress,ForwardingSmtpAddress,DeliverToMailboxAndForwardDetects SMTP forwarding used to exfiltrate mail to external addresses independent of inbox rules.
-
Search unified audit log for the user over last 30 days: Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -UserIds user@contoso.com -ResultSize 5000 | Export-Csv audit.csvReveals MailItemsAccessed, Send, New-InboxRule, Set-Mailbox, Add-MailboxPermission, and Consent to application events tied to compromise.
-
In Entra ID > Enterprise applications, filter for apps consented in the last 30 days. Review permissions (particularly Mail.*, offline_access, Files.*, User.Read.All) and publisher verification status.Identifies OAuth consent phishing that grants persistent access surviving password resets.
-
Check the user's registered authentication methods in Entra ID > Users > Authentication methods for unexpected phone numbers or Authenticator app registrations.Attackers often add their own MFA method to establish persistence and defeat subsequent password resets.
Resolution path
- Notify the user out-of-band (phone/SMS) that their account is being reset — do not use email.
- Reset the user's password to a strong random value and require change at next sign-in via Entra ID admin center or: Update-MgUser -UserId user@contoso.com -PasswordProfile @{ForceChangePasswordNextSignIn=$true; Password='<strong-random>'}
- Immediately revoke all refresh tokens and active sessions: Revoke-MgUserSignInSession -UserId user@contoso.com — this is critical after AiTM/token theft as password reset alone does not invalidate stolen session cookies.
- Remove any attacker-added authentication methods (phone, Authenticator, FIDO2 key) via Entra ID > Users > <user> > Authentication methods.
- Re-register MFA for the user; enforce phishing-resistant method (FIDO2 or Windows Hello) via Conditional Access where possible.
- Remove malicious inbox rules: Remove-InboxRule -Mailbox user@contoso.com -Identity '<RuleName>' -Confirm:$false
- Clear mailbox forwarding: Set-Mailbox user@contoso.com -ForwardingAddress $null -ForwardingSmtpAddress $null -DeliverToMailboxAndForward $false
- Review Entra ID > Enterprise applications; revoke consent for any illicit OAuth apps (Properties > Delete, or Users and groups > Remove user assignment). For tenant-wide malicious apps, disable sign-in and delete.
- In Threat Explorer, select the phishing message > Take action > Soft delete or Purge (hard delete) from all recipient mailboxes.
- Block sender domain, IP, URLs, and file hashes at Exchange Online Protection via Microsoft 365 Defender > Policies & rules > Tenant Allow/Block List.
- Trigger EDR full scan on user's endpoint via Defender for Endpoint; if infostealer is suspected, isolate the device (Actions > Isolate device) and rebuild.
- Notify security leadership; if PII/regulated data was accessed, initiate GDPR/breach notification workflow per organisational policy.
Prevention
- Enforce phishing-resistant MFA (FIDO2 security keys, Windows Hello, or certificate-based auth) via Conditional Access — mandatory for all privileged roles, strongly recommended for all users.
- Enable Microsoft Defender for Office 365 Safe Links and Safe Attachments policies with Zero-hour Auto Purge (ZAP) for both malware and phish.
- Configure DMARC with p=reject on all owned sending domains; enable Anti-spoofing and Impersonation protection (user and domain) in MDO anti-phishing policies.
- Restrict user consent for third-party apps to 'Allow user consent for apps from verified publishers, for selected permissions' or disable entirely (Entra ID > Enterprise applications > Consent and permissions).
- Disable legacy authentication (POP, IMAP, SMTP AUTH, Basic Auth) via Conditional Access 'Block legacy authentication' policy and per-mailbox Set-CASMailbox -SmtpClientAuthenticationDisabled $true.
- Deploy Continuous Access Evaluation (CAE) and token protection Conditional Access policies to reduce token replay attack window.
- Enable Entra ID Identity Protection risk-based Conditional Access to auto-remediate risky sign-ins and risky users.
- Run ongoing phishing simulation and awareness training via Attack Simulation Training in Defender for Office 365; target repeat clickers with additional training.
Tools
- Microsoft 365 Defender portal / Threat Explorer (phishing investigation, tenant-wide message remediation)
- Exchange Online PowerShell V3 (Get-InboxRule, Get-Mailbox, Search-Mailbox)
- Microsoft Graph PowerShell SDK (token revocation, password reset, OAuth grant management)
- Search-UnifiedAuditLog (Purview audit search)
- Microsoft Defender for Endpoint (device isolation, EDR forensics)
- MXToolbox / Microsoft Message Header Analyzer (SPF/DKIM/DMARC validation)
- Entra ID Sign-in logs and Risk detections (Identity Protection)