Security moment
Someone clicked a phishing link.
Breathe. Then do these five things.
Most phishing clicks are recoverable if you act in the first hour. Here's the checklist we use in real incidents — free to follow, no signup required.
Get incident help now See the checklist
Active breach? Call ThreeShield: 1-403-538-5053
The first hour
1. Don't wipe anything yet
Resist the urge to reimage the machine immediately — you may destroy the evidence that tells you whether credentials or sessions were stolen. Disconnect it from the network instead.
2. Reset the password and revoke sessions
A password reset alone does not log the attacker out. In Microsoft 365, revoke all active sessions and refresh tokens for the user. Modern phishing kits steal session cookies, not just passwords.
3. Check sign-in logs and OAuth grants
Look for sign-ins from unfamiliar locations and any new OAuth application consents in the minutes after the click. Attackers plant mail rules and app grants to keep access after you reset the password.
4. Check mailbox rules and forwarding
Hidden inbox rules that forward or delete mail are the most common persistence trick. Check the affected mailbox — then check the CFO's, because that's where attackers pivot.
5. Find out who else got the email
One click usually means twenty deliveries. Search for the sender and subject across all mailboxes and pull it before someone else clicks.
Stop playing whack-a-mole with the next one
Phishing Reporter for Outlook
When someone reports a suspicious email, Lavawall checks it immediately — the message, its PDFs and attachments, and every link, including links wrapped by spam filters like Proofpoint and Egress Defend — and tells them right there whether it's dangerous. No waiting, no ticket. Your helpdesk stops fielding "is this safe?" questions, you see everyone else who got the same message, and each report becomes a quick lesson for the sender. And when someone wants a human to double-check, ThreeShield's analysts review it — so your team can even take a vacation.
Learn more →M365 breach detection
Lavawall correlates risky sign-ins, OAuth grants, and mailbox rule changes — the exact persistence tricks from the checklist above — and alerts you when they happen.
Learn more →Security awareness training
Short, real-world training that turns the person who clicked into the person who reports. Bundled with the Phishing Reporter.
Learn more →Want a senior security person on this with you?
ThreeShield — the CISSP/CISA team that builds Lavawall — handles phishing incidents, M365 hardening, and post-incident reviews for lean IT teams. No retainer required for the first incident.
Common questions
- An employee clicked but didn't enter a password. Are we safe?
- Probably, but not certainly. Some phishing pages harvest session tokens or trigger OAuth consent without a password prompt. Check sign-in logs and recent OAuth grants before closing the incident.
- What does the Phishing Reporter cost?
- It's one Lavawall module — month-to-month, no minimums, free trial without a credit card. Most teams deploy to every mailbox in under an hour.
- Can someone just handle this for us?
- Yes — that's ThreeShield. One call, and the team that builds Lavawall runs the incident with you.