The first hour of a suspected breach: a simple plan for a team with no IT department
If you suspect an account is compromised or a scam succeeded, the first hour matters. Here is a calm, step-by-step plan to prepare before you need it.
The worst moment to figure out your response plan is when something is actually going wrong. Read this now, while everything is fine, so you have a clear head if you ever need it.
First: slow down
When something looks wrong — a strange login alert, an employee who clicked a suspicious link, a client asking about a weird email that appeared to come from you — the instinct is to act fast. That is understandable. But the first minute should be about not making things worse.
Do not delete anything. Do not wipe the device, do not empty the trash, do not remove the suspicious email. Evidence matters, both for understanding what happened and for any insurance claim or report later.
Write down the time and what you are seeing right now, before memory starts filling in gaps.
Reset the password and sign out everywhere
If you believe an account has been compromised, the most important immediate step is cutting off access.
- Go to the Microsoft 365 admin center (or wherever you manage accounts).
- Reset the password to something new — ideally generated by a password manager rather than typed.
- Sign the account out of all active sessions. Microsoft 365 has an option to revoke all active sign-ins, which forces anyone using a stolen session to re-authenticate. They cannot, because you just changed the password.
Do this for the specific account affected. If an admin account was involved, treat every admin account as potentially compromised.
Verify MFA is on
If MFA (multi-factor authentication — the secondary code or app prompt after your password) was not enabled on the affected account, turn it on now for that account and check every other account while you are there.
If MFA was already on and the attacker still got in, that is a more serious situation. Note it and flag it to your IT contact — it can indicate a more sophisticated attack.
Check for email forwarding rules
One of the first things attackers do after gaining access to a mailbox is create a forwarding rule — a quiet, automatic copy of every incoming email sent to an address they control. It runs silently in the background and is easy to miss.
In Outlook or the Microsoft 365 admin center, look at the affected account's inbox rules. Delete anything you do not recognize. Check whether email is being forwarded to an outside address. This step is easy to skip and worth doing even if you are not certain anything bad happened.
Call your bank if money is involved
If the suspected breach touched anything financial — an unusual wire transfer, a change of payment details, a vendor invoice you now doubt — call your bank immediately. Do not email. Do not fill out an online form. Call directly, reference the transaction, and ask them to attempt a recall.
Banks have a short window to stop or recover fraudulent transfers. Hours matter more than almost anything else at this stage.
Tell your IT person or provider
Even if you think you have handled the immediate steps, tell someone who knows your environment. A managed IT provider or a technically capable contractor can check for things you might not know to look for — other affected accounts, signs that access spread beyond the first account, anything set up to maintain a foothold after the initial password reset.
If you do not have anyone like this, now is a good time to identify someone before you need them. A one-time incident response call with an IT consultant is not expensive relative to the cost of missing something.
Notify your insurer if you have cyber coverage
Cyber insurance policies typically have a reporting window — usually 24 to 72 hours after discovering an incident. Miss that window and a claim can be denied. Pull out your policy now and find the breach-reporting number. Keep it somewhere obvious alongside this plan.
Write down what happened
Before the details blur, document:
- What you noticed and when
- Which accounts or systems were affected
- Every step you took and when you took it
- Who you contacted
This log protects you in any insurance, legal, or regulatory situation, and helps your IT person understand the sequence of events when they dig in.
Prepare this as a one-page plan now
Print this out. Put it in a folder. Make sure whoever covers for you when you are out knows where it is. The decisions in the first hour of a security incident are a lot clearer when you made them in advance, not under pressure.
Tenant Strike handles the preventive side: it reads your Microsoft 365 and Azure configuration in read-only mode and flags the gaps — accounts without MFA, unchecked forwarding rules, apps with more access than they should have — so you can close them before an incident starts. A five-minute scan now is easier than a first hour you were not ready for.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.