How to Respond to a Phishing Attack: A Step-by-Step Incident Response Guide

Someone has clicked a phishing link or handed over their credentials to a fake login page. The report is on your desk. What you do in the next 60 minutes matters more than anything that comes after.

Phishing is consistently the most common initial attack vector across all major incident reports. Most breaches do not start with a sophisticated zero-day - they start with someone clicking a convincing email. Having a documented response process that you can follow under pressure is what separates a contained incident from a full breach.

Incident Response Checklist

Work through each phase in order. Tick steps as you complete them - progress is saved in your browser.

First 15 Minutes: Contain

Speed matters here. Every minute the account remains active is time an attacker can use to send more phishing emails from it, access SharePoint, read emails, or set up forwarding rules to exfiltrate data.

1. 1
   Revoke all active sessions

   Go to Entra ID › Users › [User] › Revoke sessions. This kills every active sign-in token for the account immediately. The user - and any attacker using their session - will be signed out of everything.
2. 2
   Reset the password

   Reset the user's password immediately. Do not send the new password by email (which may be compromised). Use a secure out-of-band channel - phone, Teams from your admin account, or in person.
3. 3
   Enable MFA if not already active

   If the user did not have MFA, enable it before they log back in. This is the point of failure - credentials alone were enough to authenticate. Fix that now.
4. 4
   Check for inbox rules

   Attackers routinely set up forwarding rules or move-to-deleted rules to hide their activity and exfiltrate email. Check in Exchange Admin Centre › Mailboxes › [User] › Manage mailbox rules, or run Get-InboxRule -Mailbox user@domain.com in Exchange Online PowerShell.
5. 5
   Block the phishing domain/URL

   If you know the URL the email linked to, block it in Defender for Office 365 via Tenant Allow/Block List. This prevents the same link working if the phishing email reached other users.

Investigate the Scope

Once the immediate containment steps are done, work out what actually happened and how far it spread.

Check sign-in logs

Look for sign-ins from unusual locations, IP addresses, or at unusual times. Note any successful sign-ins that occurred after the phishing event - these indicate the attacker actually used the credentials, not just captured them.

Check what was accessed

Use the Microsoft Purview Audit log to see what the account accessed after the compromised sign-in. Look for:

• SharePoint file downloads or access
• Email reads (particularly looking for finance, HR, or executive emails)
• Teams messages sent
• New forwarding rules created
• New app permissions granted (OAuth apps)
• Any admin actions if the user held admin privileges

Check if phishing spread

Run a message trace in Exchange Admin Centre to see whether the compromised account sent emails to other users in the organisation during the attack window. If it did, you may have secondary compromises to deal with.

Remediate

• Delete any inbox rules created by the attacker
• Remove any OAuth apps the attacker granted permissions to
• Remove any email forwarding addresses added to the account
• Check the Sent Items folder for any phishing emails sent from the account - notify recipients
• If the user's device may have been affected (malware from the phishing link), isolate it in Defender and run a full scan or reimage
• If data was exfiltrated, begin the process of assessing what was taken and whether it triggers data breach notification obligations (UK GDPR requires notification to the ICO within 72 hours if the breach is likely to result in risk to individuals)

Communicate

Communicate clearly with three audiences:

The affected user: Explain what happened, what you have done, and what they need to do. Do not make them feel blamed - phishing emails are designed by professionals to be convincing. Give them practical advice on what to watch out for going forward.

The wider organisation: If the phishing email reached multiple people, send a brief warning to the whole organisation with a screenshot of the email (if safe to share) and instructions to report any similar emails without clicking. Awareness in the moment of an active campaign is more effective than general training.

Management/legal: If data was potentially accessed or exfiltrated, escalate to management and legal counsel. Data breach notification timelines (72 hours to ICO under UK GDPR) start from when you become aware of a breach, not when you finish investigating.

Recover and Harden

Before closing the incident, address the gaps that allowed it to happen:

• If the user did not have MFA, enforce it now - for them and for anyone else without it
• If the phishing email bypassed your spam filter, review your Defender for Office 365 anti-phishing and Safe Links policies
• If the user was able to sign in from an unusual country or IP, consider adding a Conditional Access policy to block sign-ins from high-risk locations
• Review whether the user's permissions were appropriate - principle of least privilege means a compromised account should have limited blast radius

Post-Incident Review

Run a brief post-incident review within a week of the event. The goal is not to assign blame but to identify what can be improved. Cover:

• What was the initial attack vector and how did the email reach the user?
• How was the incident detected and how long before IT was notified?
• How quickly were containment steps completed?
• What data, if any, was accessed or exfiltrated?
• What controls failed and what changes will prevent recurrence?