What is a phishing attack?

A phishing attack is when attackers impersonate a trusted sender — such as a colleague, supplier, bank, or Microsoft — to trick users into clicking malicious links, opening attachments, or entering login details.

Modern phishing attacks are increasingly convincing. They often:

• Use real branding and language

• Target Microsoft 365 and cloud logins

• Lead to follow-on attacks such as ransomware, invoice fraud, or data theft

Phishing is now one of the most common entry points for wider cyber incidents.

First signs of a phishing incident

You may be dealing with a phishing attack if:

• A user clicked a suspicious link or entered credentials

• A login alert appears from an unusual location

• Emails are sent from an account the user didn’t send

• Mailbox rules appear that forward or hide emails

• MFA prompts appear unexpectedly

Even if “nothing seems wrong”, phishing incidents should always be treated seriously.

Immediate actions (first 15–30 minutes)

1. Change the affected user’s password immediately Start with email and Microsoft 365. If the password is reused elsewhere, change those too.

2. Revoke active sessions Force sign-out across devices to remove attacker access.

3. Check MFA status

4. Confirm MFA is enabled

5. Look for newly added authentication methods (phone numbers, apps)

6. Preserve evidence

7. Save the phishing email (including headers if possible)

8. Screenshot login alerts or suspicious activity

9. Note the time and user affected

Assess what the attacker may have done

Once credentials are compromised, attackers often move quickly.

Check for:

• Mailbox rules that auto-forward or delete emails

• OAuth app permissions added without approval

• Admin role changes

• Internal phishing emails sent from the compromised account

• Unusual file access in SharePoint or OneDrive

• Login attempts from multiple countries

This step determines whether the incident is limited or part of a wider breach.

What NOT to do

• Don’t ignore it because “nothing happened.”  Many attacks are quiet at first.

• Don’t just change the password and move on.  Access may persist elsewhere.

• Don’t blame the user.  Fear reduces reporting and increases risk next time.

Containment and remediation

After initial response:

• Reset passwords for affected users and any linked admin accounts

• Review and tighten MFA and conditional access policies

• Remove unauthorised mailbox rules and app permissions

• Check whether phishing was delivered to other users

• Update email filtering rules if needed

When does phishing become a reportable incident?

Phishing itself isn’t always reportable, but it can become one if:

• Personal data is accessed or exfiltrated

• Financial fraud occurs

• The attacker gains access to sensitive systems

In these cases, legal and regulatory guidance may be required.

Note: This is general guidance, not legal advice.

Preventing future phishing attacks

Most successful phishing incidents exploit a combination of:

• Weak or missing MFA

• Over-privileged users

• Poor visibility into login activity

• Lack of user awareness

Key controls include:

• MFA for all users (especially admins)

• Conditional access policies

• Regular user awareness training

• Strong email filtering

• Monitoring for suspicious sign-ins and rule changes

Signs the attacker may still have access

After remediation, watch for:

• Reappearing mailbox rules

• Repeated MFA prompts

• New OAuth app permissions

• Logins from unfamiliar locations

• Unexpected password reset requests

If any appear, treat it as an active incident.

People Also Ask

What should I do if I clicked a phishing link?

Change your password immediately, revoke active sessions, and report the incident so activity can be checked properly.

Can phishing lead to ransomware?

Yes. Phishing is one of the most common ways attackers gain initial access before deploying ransomware or stealing data.

Is MFA enough to stop phishing?

MFA significantly reduces risk but isn’t foolproof. Attackers may use MFA fatigue or token theft, so layered security is important.

How do attackers use compromised email accounts?

They often monitor conversations, redirect invoices, launch internal phishing, or access cloud files.

Should phishing incidents be reported?

They should always be reported internally. External reporting depends on data exposure and regulatory requirements.