13.7 Containment Playbook

2–3 hours · Module 13

Containment Playbook

You have confirmed token replay for j.morrison. The attacker is actively accessing the mailbox. Every second of delay means more emails read, more intelligence gathered, more risk of lateral movement. Containment follows a strict sequence.

The 7-step containment sequence

Step 1: Revoke all sessions. Defender portal, User entity, Actions, Revoke sessions. This invalidates ALL active tokens, session and refresh. The attacker loses access within seconds. This is always the first action.

Step 2: Force password reset. Entra ID, User, Reset password. The proxy captured credentials in addition to the token. Without a password reset, the attacker could sign in again with the stolen password after revocation.

Step 3: Force MFA re-registration. Entra ID, User, Authentication methods, Require re-register MFA. If the attacker registered their own phone or authenticator app during the 25-minute access window, this removes all registered methods and forces the legitimate user to re-register from a known clean device.

Step 4: Remove malicious inbox rules. Document the rule first (screenshot plus details for the incident report), then delete it via Exchange admin centre or PowerShell. The “Security notifications” rule created at 09:25 is actively hiding compromise evidence from the user.

Step 5: Verify no mail forwarding. Check ForwardingSmtpAddress and ForwardingAddress on the mailbox. Check inbox rules with redirect or forward actions. Check transport rules matching this user. Result: clean.

Step 6: Verify no OAuth grants. Check AuditLogs for “Consent to application” events. OAuth grants persist beyond session revocation. If the attacker granted a malicious app access to the mailbox, that app retains access even after password reset. Result: clean.

Step 7: Contact user by phone. Call the user directly to a verified number. Do NOT use email (the inbox rule may still be active or forwarding may exist that you missed). Do NOT use Teams (the attacker may still have access to other M365 apps if revocation has not fully propagated). Phone call is the only secure channel.

Document before you delete

The inbox rule is evidence. Record its name, conditions, actions, creation timestamp, and the IP that created it before removing it. This goes in the incident report and may be needed for regulatory filings or legal proceedings. Delete evidence and you may face questions about chain of custody.

Containment verification query

After completing all 7 steps, verify the attacker no longer has access:

1
2
3
4
5
6
AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(1h)
| where UserPrincipalName =~ "j.morrison@northgateeng.com"
| where IPAddress == "203.0.113.45"
| project TimeGenerated, ResultType, AppDisplayName, IPAddress
| sort by TimeGenerated desc

Expected result: no new events from the attacker IP, or events with ResultType != 0 (token rejected). If you see successful events after revocation, containment failed. Escalate immediately.

Timeline

Time	Action	Status
09:42	Sessions revoked	Token invalidated
09:43	Password reset	Credentials invalidated
09:44	MFA re-registration required	MFA methods secured
09:47	Inbox rule documented and removed	Persistence eliminated
09:48	Forwarding verified clean	No external forwarding
09:49	OAuth grants verified clean	No app persistence
09:50	User contacted by phone	Informed, cooperating

Total containment time: 8 minutes from investigation start. The 25-minute attacker access window (09:17 click to 09:42 revocation) includes the triage and investigation time. In a mature SOC with pre-built playbooks, this window can be reduced to under 10 minutes.

Check your understanding

1. Why must you check OAuth grants even after revoking sessions and resetting the password?

OAuth grants expire with the session

OAuth grants are the same as inbox rules

OAuth grants persist independently of user sessions and passwords. A malicious app with mailbox read permission retains that access until the grant is explicitly revoked, regardless of session or password changes.

OAuth grants are application-level permissions, not user-session-level. Revoking the user's sessions stops the user's tokens but does not revoke permissions granted to applications. If the attacker consented to a malicious app with Mail.Read permissions, that app continues reading email silently.

2. You complete all 7 containment steps but still see successful non-interactive sign-ins from the attacker IP 15 minutes later. What is the most likely cause?

Token revocation takes time

The query results are delayed

The attacker has a second access path you have not identified, such as an OAuth grant you missed, a second compromised account, or a compromised device with cached tokens. Escalate and expand scope.

Continued access after full containment means a gap in your containment scope. The most common causes: an OAuth app grant that persists, a second compromised account being used as a pivot, or device-level token cache that was not cleared. Treat this as a containment failure and immediately expand your investigation.

← 13.8 Eradication and Verification 13.6 Wave 1: Post-Compromise Activity →