Recovering from Enterprise Phishing Attacks

Much has been written about what consumers should do if their home accounts get phished. But here’s a comprehensive list for recovering from enterprise phishing attacks. We include advice for all affected parties: users, IT admins, and Security leaders.

For the End User:

Immediately tell the IT department and share as much detail about your actions as possible.
If you use the same login ID or passwords on other Internet apps (i.e. personal email or work-related CRM or HR apps), then change passwords on those sites as well.
Alert your contact list about the message. Attackers usually launch more spam/phishing messages to all contacts. Each user who received the email should reset their password. If they went ahead and entered any login information, their acct has likely also been compromised.
Make sure that your backup contacts—the e-mail or phone number that the mail provider could use to contact you if it sees suspicious use of your account—are current. In Office 365, navigate to the “Additional Security Verification” page (https://account.activedirectory.windowsazure.com/Proofup.aspx) to ensure the attacker has not changed your cell phone #, locking you out of the Office 365 account. Hit the “Restore” button if it seems they have.
Check your Outlook rules for new or modified rules (File/Info/Rules and Alerts)
Check Outlook signature for changes and verify any hyperlinks are correct
Learn from the phishing incident and don’t take the bait no matter how tempting

For the IT Pro:

Isolate the impacted computer from network
Reset the user’s password
Enable the user for Multifactor Authentication (especially those in accts payable/execs)
Perform A/V anti-malware scan on the computer
Search for anomalous Sent and Deleted items in the affected inbox
Review modifications to mailbox, including rule changes, permissions changes, etc.
Investigate potential lateral movement within the network (if the attacker elevated to administrator privileges on the machine, confirm admin passwords are changed on servers)
Use the Office 365 compliance center to search/purge for that email in case others have it that you don’t know about. https://support.office.com/en-us/article/Search-for-and-delete-email-messages-in-your-Office-365-organization-Admin-Help-3526fd06-b45f-445b-aed4-5ebd37b3762a
Verify and/or update security and operating system updates
Review Event logs https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-sign-ins
Review autostart software/apps, using Sysmon from Sysinternals and investigate
If there’s any doubt if the computer has been compromised, reimage or redeploy
Review spam filters, malware filters, connectors, and transport rules for potential modifications to prevent future phish with similar characteristics
Verify and/or add SPF, DKIM, and DMARC DNS records and plan to set DMARC to p-reject
Keep all software up-to-date
Stay abreast of common threats, tools/techniques to combat phishing and ransomware
Take advantage of built-in Windows security tools like Windows Defender

For the Chief Security Officer:

Ensure the impacted users are provided with a debrief on what likely happened (many who have their accts compromised won’t admit to having been phished, but something happened)
Make other users aware of the current threat
Adjust training to include new lessons learned
Stay abreast of common threats, tools/techniques to combat phishing and ransomware
Support IT Pros in their efforts protect, detect, and respond with training, proper tools/licensing that meet your organizations business needs/requirements
Employ Microsoft or 3rd party SaaS security capabilities like Office 365 ATP, Advanced Threat Analytics, Windows Defender ATP to prevent, detect, and respond

To more proactively find and remediate phishing issues, see eGroup | Enabling Technologies’ ThreatHunter solution.

Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Chris Stegh

CTO & VP of Strategy - eGroup | Enabling Technologies

Managed IT Services

IT Management Solutions​

Cloud Management Solutions​

Backup & Disaster Recovery

Managed Security​

Accelerate with AI​

AI Solutions​

Generative AI​

Intelligent Analytics​

App Development

Strengthen Security

Data Security

Threat Detection & Response​

Risk Management

Secure Connectivity

SASE (Secure Access Service Edge)

Improve Collaboration​

Collaboration & Productivity

Unified Communications​

Modernize Infrastructure​

Hybrid Cloud

Networking

Data Center​

Data Protection​

Disaster Recovery

Drive Decisions with Data​

Data Architecture

Data Engineering

Insight & Analytics​

Optimize Cloud Operations​

Azure Infrastructure & Platforms​

Virtual Desktop​

Transform Your Business

Organizational Change Management​

Strategic Advisory Services​

Microsoft CSP Licensing

Quick Links

Our Strategic Advantage

Case Studies

AI Licensing Agent

Microsoft Marketplace

Schedule a Consultation

Support Hub

Submit a Support Request

Contact Us

Chris Stegh

Request Access to Win Wires

IT Management Solutions

Cloud Management Solutions

Managed Security

Accelerate with AI

AI Solutions

Generative AI

Intelligent Analytics

Threat Detection & Response

Improve Collaboration

Unified Communications

Modernize Infrastructure

Data Center

Data Protection

Drive Decisions with Data

Insight & Analytics

Optimize Cloud Operations

Azure Infrastructure & Platforms

Virtual Desktop

Organizational Change Management

Strategic Advisory Services