Phishing Incident Response for Businesses
Email compromised? Every minute the attacker still has access widens the blast radius. Senior Dutch incident responders on every case.
What to do right now
- 01
Do not delete anything
Preserve evidence: mailbox contents, headers, sign-in and audit logs, session snapshots, and any ransom note or malware binary. Do not reset passwords yet (a plain reset leaves existing session tokens valid), do not delete suspicious emails, and do not power off systems unless data is actively being encrypted. Evidence lost now cannot be recovered later.
- 02
Revoke sessions on the compromised account
If you know which account is affected, revoke its active sessions and disable it. For Microsoft 365: go to the admin center, find the user, and select 'Sign out of all sessions.' This invalidates refresh tokens and session cookies while preserving the audit trail. Review MFA methods and OAuth grants on the same account before resetting the password.
- 03
Call us
Call 088 SECDESK (7323375). A senior incident responder picks up, not a call center. We start working on your case immediately. If the incident involves ransomware, a data breach, or business email compromise, every hour matters.
How we help
Containment
We stop the attacker. Active sessions and refresh tokens are revoked, compromised accounts are disabled, attacker-added MFA methods and malicious OAuth grants are removed, and mailbox forwarding or auto-delete rules are deleted. For ransomware, we isolate affected hosts from the network (without powering them off, to preserve volatile memory and decryption keys). The goal: cut off attacker access within hours, not days.
Investigation
We trace the full attack timeline. How did the attacker get in? What data was accessed? We analyse Entra ID (Azure AD) sign-in logs, the Microsoft 365 Unified Audit Log, mailbox audit logs, EDR telemetry, and file access logs. We check what most IT teams miss: OAuth consent grants, hidden mailbox rules (auto-forward, auto-delete, move to RSS Feeds), Power Automate flows, attacker-added MFA methods, conditional access exclusions, and lateral movement across your tenant.
Remediation
We remove every backdoor, every persistence mechanism. Mailbox rules, registered MFA devices the attacker added, Azure AD conditional access exclusions, rogue OAuth applications. Then we harden your environment: enforce modern authentication, configure conditional access, and set up monitoring for suspicious activity.
Reporting
You get a written report in plain language. What happened, what data was at risk, what we did, and what to fix. If you need to report to the Autoriteit Persoonsgegevens, the report contains the information they require: nature of the breach, data subjects affected, and measures taken.
Incident types we handle
Phishing attacks
Credential theft, OAuth consent phishing, MFA fatigue attacks. From a single clicked link to a full account takeover.
Business Email Compromise
CEO fraud, invoice redirection, supplier impersonation. We trace the attacker, assess the damage, and support recovery of funds.
Microsoft 365 compromise
Unauthorized access to your M365 tenant. Mailbox rules, OAuth apps, data exfiltration, and admin account takeover.
Ransomware
Active encryption, ransom demands, data theft. We contain the spread, assess what was taken, and guide recovery.
Data breaches
Confirmed or suspected data exposure. We determine scope, identify affected records, and support regulatory notification.
Account takeover
Any unauthorized access to business accounts: email, cloud storage, financial systems, or administrative consoles.
Why SecDesk
two-hour response
Call any time. A senior incident responder answers, not a triage desk. We begin containment within hours of first contact.
Dutch team, Dutch context
We work from Amsterdam. Our responders speak Dutch, understand AVG and meldplicht datalekken, and have worked with the Autoriteit Persoonsgegevens and NCSC-NL.
Senior responders on every case
Experienced incident responders handle your case from start to finish. We do not hand off to junior analysts after the first call.
Regulatory expertise
We know when and how to report to the AP. We structure our incident reports for AVG compliance, including breach scope, affected data subjects, and remediation measures.
Frequently asked questions
Threat Exposure Management
Most breaches start with something already exposed: a password lifted by an infostealer, a lookalike domain registered yesterday, an API key left in a public commit. Our managed TEM platform watches the open web, dark web, and criminal forums for exposure tied to your organisation. We tune the noise, triage the signal, and act on the response you pre-authorised.
See how our TEM service worksNeed incident response?
- Two-hour SLA
- Dutch senior responders