Introduction
Phishing attacks are one of the most common cybersecurity threats that IT administrators face. A single click on a malicious email link can lead to credential theft, data exfiltration, or malware infections.
This guide provides a step-by-step approach to investigating and securing a potentially compromised account in Microsoft 365 using PowerShell and the Microsoft Security Portal.
πΉ Immediate Response: Disconnect & Secure the Affected Computer
Before investigating, act fast to prevent further damage:
1οΈβ£ Shut down the compromised computer immediately.
2οΈβ£ Disconnect from the network (unplug Ethernet, disable Wi-Fi).
3οΈβ£ Reset the password for the affected user.
4οΈβ£ Revoke all active sessions to log out any potential attacker.
PowerShell Command to Revoke Sessions:
powershellCopyEditRevoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"
Reset MFA to Prevent Unauthorized Re-Login:
powershellCopyEditReset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "[email protected]"
πΉ Step 1: Check for Unauthorized Sign-ins in Azure AD
Use Azure AD Sign-in Logs to check for suspicious login attempts.
PowerShell Command to Retrieve Sign-in Logs:
powershellCopyEditConnect-AzureAD
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne '0'"
β Alternative:
- Go to Microsoft Security Portal
- Navigate to: Azure AD Sign-in Logs
π Red Flags:
π© Logins from unexpected locations or devices
π© Multiple failed MFA attempts
π© Impossible travel scenarios (e.g., two logins from different continents within minutes)
πΉ Step 2: Investigate Phishing Emails Across the Organization
If an attacker sent phishing emails to multiple employees, run a Compliance Search to identify all affected mailboxes.
PowerShell Command to Search All Mailboxes for Suspicious Emails:
powershellCopyEditNew-ComplianceSearch -Name "CompanyPhishingScan" -ExchangeLocation All -ContentMatchQuery 'has:attachment OR has:link'
Start-ComplianceSearch -Identity "CompanyPhishingScan"
Check Results:
powershellCopyEditGet-ComplianceSearch -Name "CompanyPhishingScan" | Select Name, Status, Items
If Phishing Emails Are Found, Remove Them:
powershellCopyEditNew-ComplianceSearchAction -SearchName "CompanyPhishingScan" -Purge -PurgeType SoftDelete
π¨ Use HardDelete only if emails must be permanently removed.
πΉ Step 3: Check & Remove Hidden Forwarding Rules
Attackers often set up automatic forwarding to steal emails.
Check for Forwarding Rules:
powershellCopyEditGet-Mailbox -Identity "[email protected]" | Select ForwardingAddress, ForwardingSmtpAddress
Disable Auto-Forwarding if Found:
powershellCopyEditSet-Mailbox -Identity "[email protected]" -ForwardingAddress $null -ForwardingSmtpAddress $null
πΉ Step 4: Scan the Compromised Computer Before Reconnecting
Since a phishing link was clicked, scan the system for malware before reconnecting to the network.
Offline Windows Defender Scan:
powershellCopyEditStart-MpScan -ScanType FullScan
If Threats Are Found, Remove Them:
powershellCopyEditRemove-MpThreat -AllThreats
For a Deep Rootkit Scan, Use Windows Defender Offline:
powershellCopyEditStart-MpWDOScan
β This will restart the system and scan before Windows boots.
πΉ Step 5: Implement Long-Term Protection Measures
β Enable Safe Links & Safe Attachments in Microsoft Defender
- Safe Links: Blocks phishing links before users click them.
- Safe Attachments: Scans email attachments for malware before delivery.
Enable Safe Links Policy:
powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -TrackClicks $true
Enable Safe Attachments Policy:
powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableSafeAttachmentsForMail $true
β Educate Users on Phishing Awareness
πΉ Enable the “Report Message” button in Outlook so employees can easily flag suspicious emails.
πΉ Train employees to recognize phishing emails:
β Unexpected links
β Urgent language
β Sender impersonation
π Final Wrap-Up: Is the Account and System Secure?
β Account fully secured: No unauthorized logins, MFA reset, all active sessions revoked.
β Email threats removed: No phishing emails remain in any mailbox.
β PC scanned and clean: No malware detected before reconnecting.
β Long-term protections enabled: Safe Links, Safe Attachments, user education.
β By following these steps, IT admins can quickly contain and prevent phishing incidents in Microsoft 365! π
π¬ Whatβs Next?
How does your organization handle phishing attacks? Share your best practices in the comments below! β¬οΈ
Β© 2012β2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.