AD6.7 The After-Hours Decision

The decision criterion: active attacker access

The after-hours decision comes down to one question: does the attacker currently have active access to your environment?

If yes (active session, credentials working, no containment in place), you need to act — either respond yourself or escalate to a SOC. Every hour of inaction is an hour of attacker access.

If no (Safe Links blocked the click, CA policy denied the sign-in, phishing email was quarantined), the threat is contained and the investigation can wait until morning. You lose nothing by sleeping — the containment is already in place.

If uncertain (suspicious sign-in from unfamiliar IP but no confirmed post-compromise activity), take the minimum containment action from your phone or laptop (revoke sessions — one PowerShell command or one portal click), then investigate fully in the morning. Revoking sessions is safe even if the sign-in turns out to be legitimate — the user re-authenticates the next time they access M365. The cost of an unnecessary session revocation at 22:00 is one re-authentication prompt. The cost of NOT revoking when it's a real compromise is overnight attacker access.

The "phone response" — minimum viable containment

If you receive a high-severity alert after hours and need to respond from your phone:

Option 1 — Entra portal on mobile browser: Navigate to entra.microsoft.com on your phone's browser → Users → search for the user → "Revoke sessions." This terminates the attacker's access in 30 seconds from your phone. Then investigate fully in the morning.

Option 2 — Azure mobile app: The Microsoft Azure mobile app includes Entra ID user management. You can revoke sessions and reset passwords from the app without opening a browser.

Option 3 — Phone the managed SOC: If you have a SOC partner, call their escalation number and tell them to revoke sessions for the affected user immediately. They have portal access and can execute in real-time while you provide context by phone.

The minimum viable containment (revoke sessions) takes 30 seconds from any device. Full investigation can wait for a proper workstation in the morning. Don't attempt to investigate sign-in logs, check inbox rules, or run PowerShell scripts from your phone at midnight — you'll miss things and make mistakes. Contain, then investigate properly when you're at your desk, rested, and have your full toolkit available.

Weekend and holiday incident patterns

Attackers prefer weekends and holidays — not because they're malicious geniuses who know your schedule, but because automated attack tools run continuously, and the credential compromises that happen on Friday evening have the longest window before detection on Monday morning. Your monitoring cadence creates a 60-hour gap between Friday 17:00 and Monday 09:00 — your longest detection window.

Mitigations for the weekend gap:

High-severity alert notifications (AD5.6) — configured for immediate email, these push critical events to you regardless of the day. You don't need to be at your desk to receive them.

Managed SOC coverage — the SOC monitors 24/7 including weekends. For high-severity events, they can contain immediately and notify you for follow-up.

Automatic attack disruption (AD6.8) — Microsoft's automated containment fires regardless of whether anyone is monitoring. A BEC attack at 02:00 on Saturday may be automatically disrupted before anyone sees the alert.

Monday review prioritisation — start every Monday review by checking the incident queue sorted by newest first. Weekend incidents appear at the top. Investigate these before the stable checks (Secure Score, compliance rate).

If your quarterly report shows a pattern of incidents occurring on weekends with Monday detection, that's evidence for the managed SOC business case: "4 of 6 incidents in Q2 occurred outside business hours. Detection delay averaged 36 hours. Managed SOC coverage would reduce this to under 1 hour."

Setting personal boundaries for after-hours response

As an IT administrator who also handles security, establish clear boundaries:

What you WILL do after hours: Check your phone for high-severity alert notifications. If one arrives, execute the minimum viable containment (revoke sessions — 30 seconds from your phone). Forward the alert to the managed SOC if available. Note the incident for morning follow-up.

What you will NOT do after hours: Full investigations from your phone. PowerShell scripting at midnight. Multi-hour incident responses without on-call compensation. These activities need a proper workstation, a clear head, and ideally the business context that comes from contacting users and managers during working hours.

Communicate these boundaries to your manager. "I receive high-severity security alerts on my phone and can take basic containment actions (revoking compromised sessions) in under a minute. For full investigation and response, I'll work from my desk during normal hours. If the organization needs guaranteed after-hours security response beyond basic containment, we should evaluate either formal on-call arrangements or managed SOC coverage."

This isn't being unhelpful — it's being honest about what sustainable security monitoring looks like for a solo IT administrator. Burning out on midnight incident responses helps nobody, and a tired responder makes more mistakes than a rested one who starts at 09:00. The procedures in this module are designed for exactly this model: minimum viable containment after hours (30 seconds), full response during business hours (15-20 minutes).

Worked after-hours scenarios

Scenario A — Saturday 14:00, phishing email detected. Alert: "Phishing email delivered to 3 users." Safe Links shows all 3 clicks were blocked. This is a "morning triage" — Safe Links contained the threat. No active attacker access. Note it, enjoy your Saturday, and handle it Monday: purge the email, block the sender, close the incident.

Scenario B — Wednesday 21:00, credential compromise for a.patel (standard user). Alert: "Suspicious sign-in from unfamiliar location." MFA satisfied by claim. Post-compromise activity: 2 inbox rules created. You have a managed SOC. Response: from your phone, revoke a.patel's sessions (1 minute). Email the SOC: "Incident ID 12345 — confirmed credential compromise, sessions revoked. BEC indicators present (inbox rules). Please monitor overnight and disable the rules if you have mailbox access. I'll complete full response at 09:00 tomorrow." Then go to sleep. You've contained the active access. The SOC monitors. You complete AD6.2 steps 3-5 in the morning.

Scenario C — Sunday 02:00, credential compromise for s.chen (CEO). Alert: "Suspicious sign-in followed by inbox manipulation — executive account." This is "respond NOW" regardless of the time. The CEO's mailbox contains board communications, financial decisions, and strategic plans. From your phone: revoke sessions immediately. Call the SOC's emergency number (don't email — this needs immediate confirmation). From your laptop (if accessible): reset s.chen's password. Send a text or call s.chen directly: "Your M365 account was temporarily secured due to a security event. I'll call you at 09:00 to explain and help you sign back in." Complete the full response first thing in the morning.

Scenario D — Friday 19:00, ransomware indicators on file server. Alert from SOC or Defender: "Suspicious file encryption activity." This is "respond NOW" — ransomware is time-critical. Every minute of encryption means more data lost. From your phone: confirm the SOC can isolate the server (if MDE-managed). If not MDE-managed, call someone who can physically access the server to disconnect the network cable. Don't try to investigate the ransomware yourself — containment (network isolation) is the only after-hours action. Everything else waits for proper investigation in the morning (or for the external IR team if ransomware is confirmed).

Communicating after-hours containment to users

If you revoke sessions or reset passwords after hours, the affected user may try to sign in and find themselves locked out. Prepare a brief message:

Template (SMS or Teams): "Hi [name], your M365 account was secured at [time] due to a security event. You may be unable to sign in until I can assist you. I'll contact you at [time] to help you sign back in. No action is needed from your side. If urgent, call me at [phone]."

This message: confirms the lockout is deliberate (not a system failure), sets expectations for when they'll regain access, prevents the user from attempting password recovery (which could interfere with your response), and provides a contact method for genuine urgency.

Don't send this message via the compromised user's M365 email — the attacker may still have access to read it (if session revocation hasn't fully propagated). Use SMS, a personal phone call, or a messaging app outside M365.