Phishing Remediation Actions | LevelUpSecurityLabs

Detection to Response Workflow

Phishing remediation works best when detection signals are mapped directly to containment actions.

User clicks phishing linkCredential capture, AiTM flow, or malicious OAuth prompt.

→

Attacker gains accessStolen password, stolen token, or attacker-approved session.

→

Mailbox activity beginsMail access, inbox rules, forwarding, or outbound phishing.

DetectionImpossible travel, MailItemsAccessed spike, New-InboxRule, OAuth consent, high-volume send.

→

ContainmentRevoke sessions, reset password, reset MFA.

→

ValidationConfirm failed attacker login, no new rules, no new mailbox access spike.

What Each Remediation Action Does

Each action targets a different layer: sessions, credentials, and MFA persistence.

Fast Containment

Revoke Sessions

Invalidates refresh tokens and forces active cloud sessions to re-authenticate. This is the fastest way to interrupt active attacker mailbox access.

Best for token theft and active sessions
Usually takes effect quickly, often within minutes
Does not change the password
Does not remove attacker-added MFA

Credential Control

Reset Password

Blocks future authentication with the stolen password. In cloud-first response, this should be paired with session revocation.

Stops reuse of stolen credentials
Does not reliably kill existing sessions by itself
Hybrid environments may introduce sync delay
Should be followed by sign-in validation

Persistence Removal

Reset MFA

Removes existing MFA methods and forces re-registration. This is critical when the attacker may have registered their own Authenticator app, phone method, or passkey.

Removes attacker-controlled MFA
Protects against re-entry after password reset
Does not revoke active sessions by itself
Requires clean user re-enrollment

On-Prem AD Reset vs Entra ID Reset

In hybrid environments, where you reset the password determines how fast cloud access is actually controlled.

Remediation Area	On-Prem Active Directory Reset	Entra ID Reset
Primary impact	Domain logons, VPN, Kerberos, NTLM, legacy applications.	Microsoft 365, cloud apps, Entra-authenticated services.
Cloud effect	Delayed until password hash sync or identity sync completes.	Immediate for cloud authentication attempts.
Active cloud sessions	Not killed by the password reset alone.	Not fully killed unless sessions are revoked.
Best use during phishing	Important for hybrid cleanup, but weak as the only action.	Best for immediate cloud containment when paired with session revocation.
Common failure	Responder resets AD password only and attacker keeps using a valid cloud session.	Responder resets cloud password but forgets MFA methods or inbox persistence.

Hybrid pitfall: A password reset in on-prem AD may protect domain resources immediately, but it does not automatically evict an attacker from an already-issued Microsoft 365 session. For phishing response, cloud token control matters.

KQL Detection to Action Mapping

Use the detection signal to decide which remediation action is required.

Impossible Travel

Suspicious Sign-In Pattern

Indicates potential token reuse, AiTM activity, or impossible travel behavior.

SigninLogs
| where ResultType == 0
| summarize Count = count() by UserPrincipalName, Location, bin(TimeGenerated, 5m)
| where Count > 3

Action: Revoke sessions immediately. Reset password if credential compromise is suspected.

Mailbox Access

MailItemsAccessed Spike

Indicates mailbox recon, data access, or automated message review after compromise.

OfficeActivity
| where Operation == "MailItemsAccessed"
| summarize AccessCount = count() by UserId, bin(TimeGenerated, 5m)
| where AccessCount > 50

Action: Revoke sessions and reset password. Review message access scope.

Persistence

Inbox Rule Creation

Indicates mailbox persistence, hiding security messages, auto-delete rules, or external forwarding preparation.

OfficeActivity
| where Operation == "New-InboxRule"

Action: Remove malicious rules, reset MFA, revoke sessions, and reset password.

BEC Behavior

High Volume Outbound Email

Indicates the compromised account may be actively sending phishing or invoice-fraud messages.

OfficeActivity
| where Operation == "Send"
| summarize SentCount = count() by UserId, bin(TimeGenerated, 5m)
| where SentCount > 100

Action: Full containment: revoke sessions, reset password, reset MFA, and inspect sent items.

What Bad Looks Like

Before remediation, the account may still look “valid” because the attacker is using real authentication paths.

Before Remediation

Compromised Account State

user: victim@company.com

✔ Successful login from California

✔ Successful login from Netherlands two minutes later

✔ MailItemsAccessed hundreds of times

✔ New-InboxRule created: delete incoming security alerts

✔ External forwarding enabled

✔ 300+ outbound messages sent in 10 minutes

After Full Remediation

Contained Account State

✔ Sessions revoked

✔ Password reset in cloud or synchronized cleanly

✔ MFA methods reset and re-registered

✔ Inbox rules and forwarding removed

✔ OAuth apps reviewed

✔ Failed attacker login attempts observed

✔ No new mailbox access spike

Clean Remediation Sequence

The order matters because each step closes a different door.

Revoke sessions

Invalidate refresh tokens and force re-authentication. This interrupts active attacker access to Outlook, OWA, Teams, SharePoint, and other cloud sessions.

Reset password

Block future authentication with the stolen credential. In hybrid, make sure the reset path aligns with the source of authority and sync behavior.

Reset MFA

Remove attacker-controlled MFA methods and force clean re-registration. This is especially important after AiTM or suspicious MFA registration activity.

Remove mailbox persistence

Delete malicious inbox rules, disable external forwarding, review delegates, inspect sent items, and remove unauthorized OAuth app consent.

Validate containment

Confirm failed attacker sign-ins, no new mailbox access spike, no new outbound phishing, and normal user re-authentication from expected locations and devices.

Build. Break. Defend. Repeat.

Strong phishing response is not one button. Revoke sessions to kill active access, reset credentials to block re-entry, reset MFA to remove attacker control, then clean the mailbox and validate the account is stable.