MSB365 - The Microsoft Blog
Back to Home
M365 Incident Response Playbooks
Microsoft 365, Security5. Februar 2026

M365 Incident Response Playbooks

Drago Petrovic

Drago Petrovic

Microsoft MVP

This document provides customer-ready incident response playbooks for common Microsoft 365 security incidents. It is designed to accelerate containment, reduce business risk, and ensure consistent, audit-friendly handling.

1) Scope, Licensing Baseline, Prerequisites, and Severity

1.1 Scope (What this covers)

This playbook set covers incidents primarily within Microsoft 365:

  • Entra ID (P1/P2): identity, sign-ins, MFA, Conditional Access, risk-based signals
  • Defender for Office 365 P2: phishing investigation, Explorer, automated investigation/response (AIR), threat hunting
  • Defender for Endpoint: endpoint alerts, device isolation, investigation, remediation
  • Microsoft Purview: audit, DLP, sensitivity labels, eDiscovery (where applicable)
  • Intune: device compliance, app/device management, remote actions

1.2 Licensing/Tooling Baseline (Assumed Available)

The procedures below assume the customer has: Defender for Office 365 P2, Defender for Endpoint, Microsoft Purview, Entra ID P1/P2, and Intune.

Note: If any component is missing, dotCLOUD will provide an adjusted incident path (reduced visibility/containment options).

1.3 Prerequisites (Execution Readiness)

  • Named Contacts: IT admin, security lead, legal/compliance, and business owner.
  • Access: Administrative access path (break-glass procedure + approval flow).
  • Log Retention: Entra sign-in logs, Unified Audit Log / Purview Audit, Defender incident retention.
  • Communication Channel: SEV1 (Ticket + Phone/Teams bridge), SEV2/3 (Ticket + scheduled updates).

1.4 Severity Levels (Customer-Facing)

Level Definition
SEV1 Active compromise with confirmed data access/exfiltration, privileged account impact, or business interruption.
SEV2 Likely compromise or high-confidence malicious activity, limited scope, no confirmed exfiltration.
SEV3 Suspicious indicators, contained quickly, low impact.

1.5 Customer Decision Points (Important)

  • Is tenant-wide containment acceptable (external sharing restrictions, mail flow blocks) vs. user-scoped actions?
  • Evidence preservation priority (regulated) vs. rapid restoration priority (business critical)?
  • Do we involve legal/HR (insider risk suspicion) and/or notify authorities (sector-specific)?

2) Playbook A — Compromised M365 Account (Identity-First)

Objective: Stop attacker access quickly, preserve evidence, and restore secure access.

A1) What this usually looks like (Common Indicators)

  • Entra sign-ins from new country/ASN, impossible travel, unfamiliar device.
  • MFA prompt bombing / fatigue, or new MFA method added.
  • New OAuth app consent granted, suspicious enterprise application.
  • Mailbox forwarding enabled, new inbox rules created.
  • SharePoint/OneDrive downloads spike after sign-in.
  • Defender for Endpoint alert on the user’s primary device shortly before/after suspicious sign-in.

A2) Information to collect immediately (Triage Inputs)

  • Affected user: UPN, display name, department, and whether they are privileged.
  • Timeframe: Approximate time window of suspected compromise.
  • Artifacts: Known phishing email, URL, or attachment (if available).
  • Business impact: Access loss tolerance, critical mailboxes/data.
  • Primary device(s): Hostname, Intune-managed yes/no.

A3) First 30 Minutes Checklist (Containment)

Open incident record (ticket) and note: time, reporter, suspected scope.
Entra: Revoke active sessions/refresh tokens for the user.
Entra: Disable account temporarily (if SEV1 or privileged).
Entra: Reset password and require password change at next sign-in.
MFA: Remove suspicious MFA methods; re-register with user on trusted device.
Conditional Access: Apply restrictions (Require MFA, Compliant Device, Block Legacy Auth, Risk-based).
Defender for Endpoint: Check for alerts; isolate device if suspicious (SEV1).

A4) Investigation Steps (Practical Path)

  • Entra Review: Identify first suspicious sign-in, device, IP, location, and client app.
  • Risk Signals (P2): Check sign-in/user risk; confirm if risk policies triggered.
  • Auth Methods: Confirm if MFA methods were added/changed.
  • OAuth Persistence: Review consent grants; remove suspicious enterprise apps; invalidate tokens.
  • Mailbox Persistence: Check forwarding, inbox rules, delegates, and suspicious send activity.
  • Endpoint Correlation: Validate device for malware, token theft, or suspicious browser activity.

A5) Eradication + Recovery

  • Remove malicious rules/forwarding and unauthorized delegates.
  • Remove suspicious app consents and rotate any exposed credentials.
  • If endpoint involved: Remediate device (Defender actions) before restoring access.
  • Re-enable user with verified MFA and device compliance enforced.
  • Monitor (24–72h): Sign-ins, mailbox rules, and unusual downloads/sharing.

A6) Post-incident Hardening (Recommended)

  • CA Baseline: MFA, block legacy auth, require compliant device for high-risk apps.
  • Privileged Access: PIM, least privilege, separate admin accounts.
  • Phishing-resistant MFA for admins where feasible.

3) Playbook B — Suspicious Mailbox Activity / BEC

Objective: Stop business email compromise patterns and prevent ongoing fraud.

B1) What this usually looks like

  • Hidden inbox rules moving finance emails to RSS/Archive.
  • External forwarding to unknown domains.
  • Impersonation attempts (CEO/CFO), invoice fraud attempts.
  • Unusual sent items volume or replies to old threads.
  • Defender for Office alerts: phish delivered, user clicked, or malicious URL.

B2) First 30 Minutes Checklist

Confirm whether the mailbox is actively sending malicious emails.
Remove/disable external forwarding and suspicious inbox rules.
Revoke sessions and reset credentials (execute Playbook A in parallel).
Finance: Notify finance lead immediately and freeze payment changes.

B3) Investigation Steps (Using Defender for Office P2)

  • Use Threat Explorer / Email & Collaboration to identify original phish, recipients, and clickers.
  • Review mailbox rules, forwarding, and delegates.
  • Review Entra sign-ins for the affected user.
  • Blast Radius: Identify other mailboxes with similar rules or patterns.

B4) Tenant-wide Actions

  • Search and remove/purge messages across mailboxes (where permitted).
  • Block sender/domain/URL patterns.
  • Consider temporary tightening of anti-phishing policies for high-risk users.

B5) Recovery + Customer Guidance

  • Confirm legitimate rules are restored.
  • Finance Guidance: Verify bank changes out-of-band, confirm invoices via phone, treat "urgent" requests as suspicious.

4) Playbook C — Data Leakage / Suspected Exfiltration

Objective: Stop risky sharing, preserve evidence, and assess scope quickly.

C1) What this usually looks like

  • Anonymous links created for sensitive folders.
  • External guest access added unexpectedly.
  • Large download activity from OneDrive/SharePoint.
  • Teams channel files shared externally.
  • Purview alerts: DLP policy matches, unusual sharing.

C2) First 30 Minutes Checklist

Identify exact location (site/OneDrive/Team) and sensitivity of data.
Preserve evidence: Note time window, user(s), file(s), link(s).
Remove/expire anonymous links and restrict external sharing.
If identity compromise is suspected: Execute Playbook A in parallel.

C3) Investigation Steps (Purview/Audit-driven)

  • Review audit events: link creation, guest invitations, file downloads/access, permission changes.
  • Identify which files were accessed and by whom.
  • Determine if access was legitimate business activity vs. suspicious.

C4) Recovery + Governance Improvements

  • Restore sharing to least privilege.
  • Implement/adjust Sensitivity Labels and DLP policies.
  • Set external sharing baseline per sector (finance/pharma/public).
  • Add alerting for high-risk sharing behaviors.

5) Evidence, Communications, and Closure Package

5.1 Evidence Handling

  • Timeline: Detection ? Containment ? Eradication ? Recovery.
  • Artifacts: Sign-in evidence, rule changes, sharing links, app consents, endpoint remediation actions.
  • Approvals: Document who approved high-impact actions (account disable, tenant-wide blocks).

5.2 Customer Communication Templates

Initial Acknowledgement:

Summary of what is known Immediate actions underway What is needed from the customer (approvals, contacts, business impact)

Containment Update:

Actions taken and expected user impact Current risk status and next steps

Closure Summary:

Timeline Root cause hypothesis Confirmed impact (what was accessed/changed) Hardening actions completed and recommended follow-ups

5.3 Recommended Update Cadence

  • SEV1: Every 60–90 minutes until contained.
  • SEV2: Twice daily until stable.
  • SEV3: Daily or at milestones.
© 2026 MSB365 | Microsoft 365 Incident Response Playbooks.
Standardized procedures for enterprise security.