Phishing Education

Credential Compromise Response Checklist

By Editorial Team Published

Credential Compromise Response Checklist

When phishing successfully captures credentials, the clock starts. Attackers typically begin exploiting stolen credentials within minutes — setting up persistence mechanisms, accessing data, and initiating lateral movement. NIST SP 800-61r3 and CISA’s incident response guidance both emphasize that credential compromise requires the fastest possible containment response.

This checklist provides the immediate, short-term, and long-term actions required when credentials are confirmed or suspected compromised.

Immediate Actions (First 30 Minutes)

These actions should begin the moment credential compromise is suspected, not confirmed. Waiting for confirmation costs critical time.

1. Disable the Compromised Account

  • Disable or suspend the account in your identity provider (Active Directory, Azure AD, Okta, Google Workspace)
  • Do not simply reset the password — attackers may have established alternative access paths
  • If the account cannot be immediately disabled, force sign-out from all active sessions

2. Revoke Active Sessions and Tokens

  • Revoke all OAuth tokens and refresh tokens associated with the account
  • Terminate active sessions across all connected applications
  • Invalidate any API keys or service account tokens the user controls
  • In Microsoft 365: revoke sessions via Azure AD; in Google Workspace: revoke application-specific passwords

3. Check for Persistence Mechanisms

Attackers commonly establish these within minutes of gaining access:

  • Email forwarding rules: Check for new rules forwarding email to external addresses
  • Inbox rules: Look for rules that move, delete, or mark messages as read (hiding attacker activity)
  • OAuth app grants: Check for new third-party application consents
  • Delegated access: Review mailbox delegation and shared access grants
  • MFA registration: Check if new MFA devices or phone numbers were registered
  • Connected accounts: Review linked accounts and social logins

4. Preserve Evidence

Before making changes that could overwrite evidence:

  • Export audit logs for the compromised account (sign-in logs, activity logs)
  • Screenshot any attacker-created rules, apps, or settings
  • Note the timeline: when the phishing email was received, when credentials were entered, when compromise was detected
  • See our phishing forensics guide for comprehensive evidence preservation

Short-Term Actions (First 24 Hours)

5. Reset Credentials Securely

  • Reset the account password using a verified secure channel (not email, which may be compromised)
  • Verify the user’s identity through an out-of-band method before restoring access
  • Require enrollment of phishing-resistant MFA (FIDO2/passkeys) before account restoration
  • Reset passwords for any other accounts where the user reused the compromised password

6. Assess Scope of Access

Determine what the attacker could have accessed with the compromised credentials:

  • Email: Search for sensitive data in the mailbox (financial records, credentials, PII)
  • Cloud storage: Review recent file access and download logs (OneDrive, SharePoint, Google Drive)
  • Internal applications: Check access logs for line-of-business applications
  • VPN/Remote access: Review VPN connection logs for unusual locations or times
  • Privileged access: If the account had admin privileges, assume broader compromise

7. Check for Lateral Movement

  • Search authentication logs for the compromised account being used to access other systems
  • Look for internal phishing sent from the compromised account to other employees
  • Check if the attacker used the compromised account to reset passwords on other accounts
  • Review BEC indicators — was the account used to send fraudulent payment requests?

8. Notify Affected Parties

  • Inform the user whose credentials were compromised (with clear instructions, not blame)
  • Notify anyone who received email from the compromised account during the attack window
  • Alert external contacts if the compromised account sent phishing or fraudulent requests
  • Notify management and legal if sensitive data was exposed

9. Block Attacker Infrastructure

  • Block the phishing URL and domain at web proxy and DNS
  • Block the attacker’s IP addresses at the firewall
  • Add the phishing email’s sender, subject, and URLs to email gateway block lists
  • Report the phishing infrastructure — see our reporting guide

Long-Term Actions (First Week)

10. Organizational Credential Sweep

If the phishing campaign targeted multiple employees, assume additional compromises:

  • Force password resets for all targeted users, not just confirmed victims
  • Review authentication logs for anomalous sign-ins across the organization
  • Check dark web credential databases (HaveIBeenPwned, threat intelligence feeds) for organizational email addresses

11. Enhance Technical Controls

Based on the incident, implement or strengthen:

  • DMARC/SPF/DKIM if the phishing impersonated your domain
  • Email filtering rules to catch similar attacks
  • Conditional access policies requiring compliant devices and trusted locations
  • Zero trust controls limiting what any single account can access

12. Conduct Lessons Learned

Following your incident response plan:

  • Document the full incident timeline
  • Identify what detection and prevention controls failed
  • Calculate time-to-detect and time-to-contain
  • Update security awareness training to address the specific technique used
  • File reports with IC3, FTC, and CISA

Personal Account Compromise Checklist

For individuals whose personal accounts (banking, email, social media) were compromised through phishing:

  1. Change the password immediately from a clean device
  2. Enable MFA — preferably FIDO2/passkeys
  3. Check account recovery settings — remove any attacker-added email/phone
  4. Review recent account activity for unauthorized access
  5. Check financial accounts for unauthorized transactions
  6. Place a fraud alert with credit bureaus (Equifax, Experian, TransUnion)
  7. Report to IC3 at ic3.gov if financial loss occurred
  8. Report to FTC at identitytheft.gov for identity theft
  9. Monitor accounts for the next 90 days for delayed exploitation

Key Takeaways

  • Speed is critical: disable accounts and revoke sessions within 30 minutes of suspected compromise
  • Check for persistence mechanisms (forwarding rules, OAuth apps, MFA changes) before assuming the threat is contained
  • Scope assessment determines whether the incident stays contained or requires escalation
  • Force MFA re-enrollment (preferably phishing-resistant) before restoring access
  • Personal account compromise requires fraud alerts and credit monitoring
  • Every credential compromise should produce lessons learned that improve defenses

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

This content is for educational purposes only. Organizations should adapt this checklist to their specific environment, identity infrastructure, and regulatory requirements.

More in Phishing Education

Phishing Recognition and Reporting: Complete Guide Guide Complete Phishing Protection Guide 2026 Guide What Is Phishing? A Complete Guide to Recognizing and Avoiding Attacks Guide AI-Generated Phishing Detection and Defense

View all Phishing Education articles →