The phone call comes at different times. Sometimes it is a Monday morning when someone notices emails they never sent sitting in their outbox. Sometimes it is a Friday afternoon when a client calls asking about a wire transfer your firm never authorized. Sometimes it is a weekend, because attackers do not take weekends off.
What happens next matters more than most people realize. The decisions made in the first few hours after a Microsoft 365 breach are discovered directly determine how bad the outcome is — how much was accessed, how long the attacker was inside, whether the breach was isolated or has spread, and what the path to recovery looks like.
This is a walkthrough of what we actually do when we respond to a Microsoft 365 breach. Not a theoretical framework. Not a vendor whitepaper. What happens on a real engagement, hour by hour.
The first call is always triage. Before we touch anything inside your environment, we need to understand what you know, what you have already done, and what is still actively happening.
The questions we ask on that first call are not bureaucratic. They determine what we do first:
The answers to these questions shape everything that follows. If someone has already reset the compromised account password without preserving the session tokens, that changes what forensic data is still available. If there is an active wire transfer in flight, that becomes the immediate priority over everything else.
We get access to your Microsoft 365 tenant through the Security and Compliance portal, Entra ID, and the Microsoft 365 Defender console. We need Global Reader access at minimum, and Global Admin access if active containment is required. We start pulling sign-in logs, audit logs, and mailbox activity within minutes of getting credentials.
The most dangerous assumption you can make after discovering a compromised account is that only one account was compromised. In our experience, by the time an attacker is doing something visible — like sending fraudulent emails or creating inbox rules — they have often already been in the environment for days or weeks.
During the first few hours, we are trying to answer four questions:
Once we have enough picture of the scope, we move to containment. This means revoking active sessions on compromised accounts, removing malicious inbox rules, blocking attacker IP addresses where possible, disabling any OAuth applications the attacker may have registered, and beginning a guided credential reset process for affected accounts. We do this in a specific order to avoid tipping off an attacker who may still be watching.
Containment stops the bleeding. The investigation tells you how bad the wound was.
This is the part of incident response that most IT providers are not equipped to do. It requires access to Microsoft 365 audit logs at a level most organizations have never configured, knowledge of what attacker behavior actually looks like in those logs versus normal user activity, and time to work through thousands of events systematically.
What we are building during the investigation is an attacker timeline — a chronological reconstruction of everything the attacker did from the moment they first gained access to the moment they were contained. This timeline is not just for our own understanding. It is what your insurance carrier will ask for, what your attorney will need if there is a notification obligation, and what leadership needs to understand the full scope of the incident.
We work through the Microsoft 365 Unified Audit Log, Entra ID sign-in logs, mailbox audit logs, and where applicable, Microsoft Defender for Office 365 data. We pull this into a structured timeline and begin correlating attacker activity across accounts, timestamps, and IP addresses. When something does not add up — an action that happened before the first known sign-in, or activity from an IP we have not seen before — we dig deeper.
Once the investigation has reached a point where we have a clear picture of the incident scope, we shift into hardening — making sure the same attack cannot happen again.
The entry point that allowed the initial compromise is the first thing to close. If it was legacy authentication, we block it. If it was a weak or reused password with no MFA, we enforce MFA across the tenant with Conditional Access. If it was a phishing email that bypassed your current mail filtering, we review and tighten those controls.
We also implement the visibility controls that most Microsoft 365 environments are missing — the ones that would have caught this attack earlier or made it easier to investigate:
We implement the controls needed to close the attack vector and improve detection going forward. We walk your team through what changed and why, and we verify that no attacker persistence mechanisms remain — no forwarding rules still active, no delegated mailbox access still in place, no OAuth applications still authorized. The environment is not handed back until we are confident the threat has been fully eradicated.
Every engagement we handle ends with a written incident report. Not a one-page summary — a full forensic document that includes the confirmed timeline of attacker activity, the entry point and how it was exploited, every system and account that was accessed, every action the attacker took inside the environment, the containment actions we took and when, and the hardening changes implemented.
This report serves multiple purposes. It is the document your cyber insurance carrier will use to evaluate the claim. It is what your attorney needs to determine whether breach notification is required under state or federal law. It is what leadership needs to brief partners, clients, or regulators if that conversation becomes necessary.
It is also the document that, frankly, forces a real conversation about security posture — because seeing exactly what an attacker was able to do inside your environment, and for how long, makes the case for proactive controls better than any sales pitch could.
The most common mistake we see is waiting. A partner notices something strange on a Monday and decides to wait until the IT company's regular Tuesday visit to mention it. By then, another 24 hours of attacker access has occurred. An attorney gets an email from a client asking about a wire transfer and assumes it is a misunderstanding — it is not.
The second most common mistake is doing too much too fast without guidance. Resetting passwords without revoking sessions means the attacker's active session stays alive even after the password is changed. Wiping a device before forensics are done destroys evidence that may be needed for insurance or legal purposes. Notifying clients before the scope is understood means potentially having to send a second, worse notification when more is discovered.
The first 24 hours are high stakes. The decisions you make — or do not make — in that window determine a significant portion of the outcome.
We respond to Microsoft 365 breaches and help firms harden their environments before an attack happens. Direct response from the engineer who will handle your case.
Call 203-558-8645