Security moment
A Microsoft 365 account was compromised.
Here's your first hour.
Resetting the password is not enough — modern attackers keep access through tokens, OAuth apps, and inbox rules. Here's the checklist we use in real incidents. Free to follow, no signup required.
Get incident help now See the checklist
Active breach? Call ThreeShield: 1-403-538-5053
The first hour
1. Revoke sessions and refresh tokens — not just the password
Reset the password, then immediately revoke all active sessions and refresh tokens for the user in Entra ID. Attackers who phished a session cookie stay signed in right through a password reset. Do both, in that order, before anything else.
2. Review OAuth application grants
Check the user's consented applications for anything granted recently — especially apps with mail read/send or offline access permissions. A malicious OAuth grant survives password resets and MFA. Revoke anything you don't recognize, and note the app ID for your timeline.
3. Hunt for inbox rules and forwarding
Look for rules that forward mail externally, or that move replies mentioning "invoice", "payment", or "wire" to RSS Feeds or Deleted Items. These hide the attacker's conversations from the real user. Check both Outlook rules and mailbox-level forwarding settings.
4. Force MFA re-registration
If the attacker had full account access, assume they registered their own authenticator or phone number. Require the user to re-register MFA and delete every existing method you can't personally verify belongs to them.
5. Scope the incident in the audit log
Pull the unified audit log for the account from the first suspicious sign-in onward. What did the attacker read, download, or share? Did they touch SharePoint or Teams? This determines whether you have a one-mailbox problem or a data-exposure problem — and whether you have notification obligations.
6. Check what the account sent — this is where the real damage is
Business email compromise pays for itself with one fraudulent invoice. Search sent mail (including deleted sent items) for messages about payments, banking changes, or gift cards. If any went out, call the recipients — phone, not email — and warn them before money moves.
Catch the next one in minutes, not weeks
M365 breach detection
Lavawall correlates risky sign-ins, new OAuth grants, MFA method changes, and inbox rule creation — every persistence trick in the checklist above — and alerts you when they happen.
Learn more →Phishing Reporter for Outlook
Most account takeovers start with a phish. One-click reporting for every employee, automatic analysis, and visibility into who else received the same campaign.
Learn more →Security awareness training
Short, real-world training that teaches people to spot the credential-harvesting pages and MFA-fatigue prompts that lead to takeovers like this one.
Learn more →Want a senior security person on this with you?
ThreeShield — the CISSP/CISA team that builds Lavawall — runs Microsoft 365 incident response and post-incident hardening: conditional access, OAuth app governance, and the settings that stop the next takeover. No retainer required for the first incident.
Common questions
- I reset the password. Is the attacker locked out?
- Not necessarily. A password reset does not invalidate active sessions or refresh tokens, and it does nothing about OAuth apps the attacker consented to. Revoke sessions and tokens, review OAuth grants, and require MFA re-registration before you consider the account clean.
- How do I know if the attacker committed payment fraud from the mailbox?
- Check Sent Items and Deleted Items, search the unified audit log for messages sent during the compromise window, and look for hidden inbox rules that moved replies out of sight. Then warn anyone the account emailed about banking or invoice changes — by phone.
- Can someone just run this incident with us?
- Yes — that's ThreeShield. One call, and the team that builds Lavawall works the incident with you.