A business compromise is rarely a single event. It is usually a chain: an account is taken, access persists through sessions or recovery channels, and the attacker pivots into finance, vendor relationships, or extortion leverage. The fastest recoveries start by stabilizing the control plane, then removing attacker access, then restoring operations.
Safety note: do not wipe machines, delete email, or rotate everything at once before you preserve evidence. You can destroy the only proof of what happened and make recovery harder.
Immediate decisions (choose the scenario)
| What you are seeing | Do this first | Then do this |
|---|---|---|
| Suspicious logins or MFA prompts on email or SaaS | Secure the primary inbox and admin accounts from a clean device | End sessions, rotate credentials, and audit recovery methods |
| Invoice fraud or vendor payment diversion | Freeze payment changes and verify vendors out of band | Contain the mailbox, preserve evidence, and notify your bank quickly |
| Ransomware or extortion note | Isolate affected systems and stop spread | Preserve evidence, confirm backup viability, and use official reporting channels |
| An employee device is lost or suspected compromised | Disable or reset the account and revoke sessions | Rotate credentials, review app grants, and check mailbox rules |
| You suspect an attacker still has access after "fixes" | Treat it as persistence: audit admins, tokens, forwarding rules, OAuth grants | Rebuild the control plane and rotate high-value credentials again |
If the incident is limited to personal accounts, start with been hacked: take these steps immediately. If phishing is involved, use how to identify scam emails to standardize verification behavior.
1) Stabilize the control plane (email, identity, admins)
Most business incidents become long incidents because email or identity is not fully recovered. Start by securing the accounts that can reset other accounts.
- Secure the primary inbox and any shared mailboxes used for finance and vendor communications.
- Secure the identity provider and admin consoles. Remove stale admins and enforce stronger sign-in.
- Audit mailbox forwarding rules, filters, delegates, and connected apps. Attackers use these to persist quietly.
- Turn on high-signal alerts: new device sign-ins, password resets, recovery-method changes, and new admin role grants.
For the common failure modes and containment sequence, read account takeover and session hijacking.
2) Contain access and remove attacker sessions
Containment is about stopping the attacker from continuing. The practical goal is to reduce the number of places they can still authenticate.
- Revoke active sessions and refresh tokens for affected users and admins.
- Reset passwords to unique values stored in a password manager.
- Upgrade authentication for admins and high-risk roles. Prefer phishing-resistant methods where possible.
- Remove unknown endpoints from device management and revoke risky app permissions.
Common mistake: resetting a password while leaving mailbox forwarding rules and OAuth grants in place. That is how compromise returns.
3) Preserve evidence and build a short timeline
Evidence is what lets you reverse changes, dispute fraud, and explain the incident to vendors and authorities. Keep it simple:
- A timeline of when suspicious activity started, what changed, and what was impacted.
- Security emails, screenshots of prompts, and URLs to malicious messages.
- Admin and audit logs exported where possible.
Preserve before you rebuild. Rebuild after you understand what persistence mechanisms existed.
4) Stop money movement and vendor diversion
Many incidents are not "hackers breaking in" so much as attackers controlling communication. If you see invoice fraud or vendor diversion, treat it as business email compromise (BEC) until proven otherwise.
- Freeze payment changes and require out-of-band verification for every vendor change.
- Use known phone numbers or internal directories, not numbers found in emails.
- Search mailboxes for rules that hide replies or auto-forward invoices.
5) Use official reporting and recovery channels
When extortion, ransomware, or material fraud is involved, use official reporting channels. They create an evidence trail and can affect recovery options.
- FBI IC3 ransomware reporting: ic3.gov/Home/Ransomware
- CISA ransomware guidance: CISA ransomware guide
- FBI ransomware resources: FBI ransomware
For phishing-driven incidents, your long-term fix is a reporting loop plus better authentication and recovery. Use train employees to spot phishing emails as a practical operating model.
6) Hardening so this does not become a loop
Once the incident is contained, fix the structural causes that allowed persistence:
- Separate admin identities from daily email identities.
- Reduce admin count and review privileges quarterly.
- Enforce strong authentication and restrict recovery methods for privileged roles.
- Make restores real with restore drills, not assumptions.
Incidents end when the attacker loses access and you regain control of the reset channels. That is why the control plane comes first.
Over time, the best defense is not a single tool. It is the ability to detect identity changes quickly, revoke sessions decisively, and restore operations without negotiating for access.
If you build those constraints, most compromises become bounded events rather than recurring crises.