Best practices for phishing remediation as security personnel

Iron Contributor

A phishing e-mail made its way through Microsoft ATP and was delivered to every inbox in your orgnaization. Now there is a halfway legimate looking e-mail in every one of your employee's mailbox. What do you do?


How do you find and remove the email from the inboxes?



What is the difference between "Hard delete" and "Add to remediation" + "Hard delete"?



Should I submit the e-mail to Microsoft? If I do, does something happen behind the scenes or is that just a submission, and Microsoft will take a look at it sometime.



How do you make sure that no attachments or links were clicked in that email?



What should you do if there were clicks or downloads from that e-mail?



How do you make sure there won't be similar e-mails hitting after that (block sender / subject)?



Should I trigger an investigation?


0 Replies