📋 GRC compliance for CMMC 2.0, CPCSC, CPA Canada, IIROC…SaaS discovery for data governanceFree enriched web chat widget🚀 Enriched remote support without your laptop

Security moment

A Microsoft 365 account was compromised.
Here's your first hour.

Resetting the password is not enough — modern attackers keep access through tokens, OAuth apps, and inbox rules. Here's the checklist we use in real incidents. Free to follow, no signup required.

Get incident help now See the checklist

Active breach? Call ThreeShield: 1-403-538-5053

The first hour

1. Revoke sessions and refresh tokens — not just the password

Reset the password, then immediately revoke all active sessions and refresh tokens for the user in Entra ID. Attackers who phished a session cookie stay signed in right through a password reset. Do both, in that order, before anything else.

2. Review OAuth application grants

Check the user's consented applications for anything granted recently — especially apps with mail read/send or offline access permissions. A malicious OAuth grant survives password resets and MFA. Revoke anything you don't recognize, and note the app ID for your timeline.

3. Hunt for inbox rules and forwarding

Look for rules that forward mail externally, or that move replies mentioning "invoice", "payment", or "wire" to RSS Feeds or Deleted Items. These hide the attacker's conversations from the real user. Check both Outlook rules and mailbox-level forwarding settings.

4. Force MFA re-registration

If the attacker had full account access, assume they registered their own authenticator or phone number. Require the user to re-register MFA and delete every existing method you can't personally verify belongs to them.

5. Scope the incident in the audit log

Pull the unified audit log for the account from the first suspicious sign-in onward. What did the attacker read, download, or share? Did they touch SharePoint or Teams? This determines whether you have a one-mailbox problem or a data-exposure problem — and whether you have notification obligations.

6. Check what the account sent — this is where the real damage is

Business email compromise pays for itself with one fraudulent invoice. Search sent mail (including deleted sent items) for messages about payments, banking changes, or gift cards. If any went out, call the recipients — phone, not email — and warn them before money moves.

Catch the next one in minutes, not weeks

M365 breach detection

Lavawall correlates risky sign-ins, new OAuth grants, MFA method changes, and inbox rule creation — every persistence trick in the checklist above — and alerts you when they happen.

Learn more →

Phishing Reporter for Outlook

Most account takeovers start with a phish. One-click reporting for every employee, automatic analysis, and visibility into who else received the same campaign.

Learn more →

Security awareness training

Short, real-world training that teaches people to spot the credential-harvesting pages and MFA-fatigue prompts that lead to takeovers like this one.

Learn more →

Want a senior security person on this with you?

ThreeShield — the CISSP/CISA team that builds Lavawall — runs Microsoft 365 incident response and post-incident hardening: conditional access, OAuth app governance, and the settings that stop the next takeover. No retainer required for the first incident.

Common questions

I reset the password. Is the attacker locked out?
Not necessarily. A password reset does not invalidate active sessions or refresh tokens, and it does nothing about OAuth apps the attacker consented to. Revoke sessions and tokens, review OAuth grants, and require MFA re-registration before you consider the account clean.
How do I know if the attacker committed payment fraud from the mailbox?
Check Sent Items and Deleted Items, search the unified audit log for messages sent during the compromise window, and look for hidden inbox rules that moved replies out of sight. Then warn anyone the account emailed about banking or invoice changes — by phone.
Can someone just run this incident with us?
Yes — that's ThreeShield. One call, and the team that builds Lavawall works the incident with you.

Start M365 breach detection free