beginnerFree

Account Compromise Quick Reference

Rapid response guide for when a user account is suspected or confirmed compromised.

30-60 min5 steps10 checklist items

Summary

Essential steps to contain and investigate a compromised user account, with focus on speed and preservation.

Step-by-Step Procedure

Immediate Actions

Take these steps within the first 5 minutes.

Actions

Reset the user's password immediately

Revoke all active sessions (sign out everywhere)

Disable MFA devices and re-enroll if needed

Check and remove any forwarding rules

Check for unauthorized OAuth app grants

Tools

Identity management consoleEmail admin

Initial Assessment

Understand how the account was compromised.

Actions

Review authentication logs for suspicious sign-ins

Check for logins from unusual locations or IPs

Look for impossible travel scenarios

Identify the likely compromise method (phishing, password reuse, etc.)

Tools

SIEMIdentity provider logsEmail security

Assess Impact

Determine what the attacker did with access.

Actions

Review email sent folder for lateral phishing

Check for accessed or downloaded files

Look for inbox rules that forward or hide emails

Check for calendar invite spam

Review shared links and permissions changes

Contain Spread

Prevent the compromise from spreading.

Actions

Alert users who received emails from the compromised account

Block any malicious links that were sent

Reset passwords for any exposed accounts

Check if credentials were reused elsewhere

Recovery and Communication

Restore access and inform stakeholders.

Actions

Work with user to securely reset password and MFA

Verify no unauthorized changes to account settings

Communicate with affected parties if needed

Document the incident

Completion Checklist

Password reset completed

All sessions revoked

MFA devices reviewed/re-enrolled

Email forwarding rules checked

OAuth apps reviewed

Authentication logs reviewed

Impact assessed (sent emails, accessed files)

Recipients of malicious emails warned

User re-enabled with fresh credentials

Incident documented

Evidence to Collect

Authentication logs showing compromise timeline
List of actions taken by attacker
Emails sent from compromised account
IP addresses used by attacker
Timeline of compromise

Related Playbooks

Phishing Response BasicsExecutive Briefing

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Immediate Actions

Take these steps within the first 5 minutes.

Actions

Reset the user's password immediately

Revoke all active sessions (sign out everywhere)

Disable MFA devices and re-enroll if needed

Check and remove any forwarding rules

Check for unauthorized OAuth app grants

Tools

Identity management consoleEmail admin

Initial Assessment

Understand how the account was compromised.

Actions

Review authentication logs for suspicious sign-ins

Check for logins from unusual locations or IPs

Look for impossible travel scenarios

Identify the likely compromise method (phishing, password reuse, etc.)

Tools

SIEMIdentity provider logsEmail security

Assess Impact

Determine what the attacker did with access.

Actions

Review email sent folder for lateral phishing

Check for accessed or downloaded files

Look for inbox rules that forward or hide emails

Check for calendar invite spam

Review shared links and permissions changes

Contain Spread

Prevent the compromise from spreading.

Actions

Alert users who received emails from the compromised account

Block any malicious links that were sent

Reset passwords for any exposed accounts

Check if credentials were reused elsewhere

Recovery and Communication

Restore access and inform stakeholders.

Actions

Work with user to securely reset password and MFA

Verify no unauthorized changes to account settings

Communicate with affected parties if needed

Document the incident