Introduction
Phishing attacks are one of the most common cybersecurity threats that IT administrators face. A single click on a malicious email link can lead to credential theft, data exfiltration, or malware infections.
This guide provides a step-by-step approach to investigating and securing a potentially compromised account in Microsoft 365 using PowerShell and the Microsoft Security Portal.
🔹 Immediate Response: Disconnect & Secure the Affected Computer
Before investigating, act fast to prevent further damage:
1️⃣ Shut down the compromised computer immediately.
2️⃣ Disconnect from the network (unplug Ethernet, disable Wi-Fi).
3️⃣ Reset the password for the affected user.
4️⃣ Revoke all active sessions to log out any potential attacker.
PowerShell Command to Revoke Sessions:
powershellCopyEditRevoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"
Reset MFA to Prevent Unauthorized Re-Login:
powershellCopyEditReset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName "[email protected]"
🔹 Step 1: Check for Unauthorized Sign-ins in Azure AD
Use Azure AD Sign-in Logs to check for suspicious login attempts.
PowerShell Command to Retrieve Sign-in Logs:
powershellCopyEditConnect-AzureAD
Get-AzureADAuditSignInLogs -Filter "status/errorCode ne '0'"
✅ Alternative:
- Go to Microsoft Security Portal
- Navigate to: Azure AD Sign-in Logs
🔍 Red Flags:
🚩 Logins from unexpected locations or devices
🚩 Multiple failed MFA attempts
🚩 Impossible travel scenarios (e.g., two logins from different continents within minutes)
🔹 Step 2: Investigate Phishing Emails Across the Organization
If an attacker sent phishing emails to multiple employees, run a Compliance Search to identify all affected mailboxes.
PowerShell Command to Search All Mailboxes for Suspicious Emails:
powershellCopyEditNew-ComplianceSearch -Name "CompanyPhishingScan" -ExchangeLocation All -ContentMatchQuery 'has:attachment OR has:link'
Start-ComplianceSearch -Identity "CompanyPhishingScan"
Check Results:
powershellCopyEditGet-ComplianceSearch -Name "CompanyPhishingScan" | Select Name, Status, Items
If Phishing Emails Are Found, Remove Them:
powershellCopyEditNew-ComplianceSearchAction -SearchName "CompanyPhishingScan" -Purge -PurgeType SoftDelete
🚨 Use HardDelete only if emails must be permanently removed.
🔹 Step 3: Check & Remove Hidden Forwarding Rules
Attackers often set up automatic forwarding to steal emails.
Check for Forwarding Rules:
powershellCopyEditGet-Mailbox -Identity "[email protected]" | Select ForwardingAddress, ForwardingSmtpAddress
Disable Auto-Forwarding if Found:
powershellCopyEditSet-Mailbox -Identity "[email protected]" -ForwardingAddress $null -ForwardingSmtpAddress $null
🔹 Step 4: Scan the Compromised Computer Before Reconnecting
Since a phishing link was clicked, scan the system for malware before reconnecting to the network.
Offline Windows Defender Scan:
powershellCopyEditStart-MpScan -ScanType FullScan
If Threats Are Found, Remove Them:
powershellCopyEditRemove-MpThreat -AllThreats
For a Deep Rootkit Scan, Use Windows Defender Offline:
powershellCopyEditStart-MpWDOScan
✅ This will restart the system and scan before Windows boots.
🔹 Step 5: Implement Long-Term Protection Measures
✅ Enable Safe Links & Safe Attachments in Microsoft Defender
- Safe Links: Blocks phishing links before users click them.
- Safe Attachments: Scans email attachments for malware before delivery.
Enable Safe Links Policy:
powershellCopyEditSet-SafeLinksPolicy -Identity "Default" -EnableSafeLinks $true -TrackClicks $true
Enable Safe Attachments Policy:
powershellCopyEditSet-MalwareFilterPolicy -Identity "Default" -EnableSafeAttachmentsForMail $true
✅ Educate Users on Phishing Awareness
🔹 Enable the “Report Message” button in Outlook so employees can easily flag suspicious emails.
🔹 Train employees to recognize phishing emails:
✔ Unexpected links
✔ Urgent language
✔ Sender impersonation
🚀 Final Wrap-Up: Is the Account and System Secure?
✔ Account fully secured: No unauthorized logins, MFA reset, all active sessions revoked.
✔ Email threats removed: No phishing emails remain in any mailbox.
✔ PC scanned and clean: No malware detected before reconnecting.
✔ Long-term protections enabled: Safe Links, Safe Attachments, user education.
✅ By following these steps, IT admins can quickly contain and prevent phishing incidents in Microsoft 365! 🚀
💬 What’s Next?
How does your organization handle phishing attacks? Share your best practices in the comments below! ⬇️
© 2012–2025 Jet Mariano. All rights reserved.
For usage terms, please see the Legal Disclaimer.