Incidents are stressful events and without preparation, people are prone to irrational, ineffective or excessive reactions. Planning how you will respond when you find a malicious mail rule ensures you respond calmly and efficiently.
The first decision is whether you will deal with this incident internally, or using an incident response service. External incident response should bring a level of expertise and experience to ensure a quick, thorough and effective response, but comes at a price that means it's not an option for everyone.
Incident response service
If you plan to make use of an external incident response service, you will likely have less preparation to do. However, you should ensure the following:
everyone who may receive malicious mail rule alerts understands when and how to initiate incident response.
if suspected account compromise is covered in pre-planned playbooks with your provider, ensure everyone in your team understands the details of the playbook and the role they play. You may have preparation steps expected to be in place if this incident type is initiated.
Your incident response service may recommend response steps that are different, or in a different order to those in our guide- always follow your incident response service's guidance. A big benefit of an incident response service is they are able to adapt their response to your context and do what is best for you, your organisation, and your scenario.
If you will be dealing with this incident internally, practice the response guide for Microsoft 365 or Google Workspace and ensure you, or whoever will be responding, understands and has sufficient privilege to complete the guide.
When responding to a suspected account compromise, we have four response steps:
Damage limitation: take some quick steps to minimise damage.
Understand the root cause: how was this account compromised?
Check if other users are compromised: is this account the only one affected?
Recovery: once we understand how the attack happened, and how widespread it is, we can comprehensively rebuild and clean up.
Although you may be tempted to jump straight to step 4, we need to understand how the attack happened and how widespread it is to sufficiently recover. However, our guide recommends some initial quick "damage limitation" steps to buy some time whilst you do a wider investigation.