Quick, calm steps to contain the damage and protect your Microsoft 365 or Google Workspace environment in 2026
At KartHost, we help many small businesses every month after that heart dropping moment when a team member realizes they clicked a suspicious link. Even with strong training and filters, it happens. The good news is that acting fast at the small business level can usually limit the impact to one account instead of letting it spread. Here is a clear, step by step incident response plan focused on what owners and admins can do right away.
Step 1: Immediate Containment (First 5 to 15 Minutes)
- Have the employee stop using the device and report exactly what happened (subject line, what they clicked, whether they entered any credentials).
- Change the password immediately from a different clean device or phone. Force a sign out of all sessions.
- Enable or enforce MFA if it is not already active on that account. Many compromises stop here even if the password was entered.
Step 2: Check for Unauthorized Changes
Phishers often set up persistence mechanisms quickly. Review these common ones:
- Mail Forwarding Rules: Look for rules that forward mail to external addresses.
- App Permissions / OAuth Grants: Check for newly authorized third party apps that could read email or files.
- Sent Items and Calendar: Scan for messages or invites the employee did not create.
Microsoft 365 Specific Steps (Admin Console)
- Log into the Microsoft 365 Admin Center → Users → Active Users → select the affected user → Reset password and choose “Require this user to change their password.”
- Go to the Microsoft Entra Admin Center (entra.microsoft.com):
- Under Users → select the user → Sign in logs. Filter for recent activity and look for unfamiliar locations, devices, or “risky” sign ins.
- Revoke all sessions under the user’s profile.
- Check Audit logs for changes to forwarding rules, app consents, or admin actions.
- In Microsoft Defender for Office 365 (if enabled) or the Security Center, use Threat Explorer to find and purge similar phishing emails from other inboxes.
- Review Mail flow rules and the user’s Outlook settings for hidden forwarding.
Google Workspace Specific Steps (Admin Console)
- In the Google Admin Console, go to Users → select the user → Suspend the account temporarily to stop further damage (this also clears active sessions and tokens).
- Reset the password and force a sign out.
- Go to Reporting → Audit and investigation → Login audit or use the Security Investigation Tool:
- Search for the user’s activity around the click time.
- Look at Gmail log events for suspicious filters, forwarding rules, or message deletions.
- Under the user profile → Security → review Connected applications and remove anything unfamiliar.
- Use the Security Investigation Tool to search for and delete the phishing email across all mailboxes if it reached others.
Step 3: Broader Notification and Cleanup
- Notify leadership and IT (or your hosting provider support) immediately.
- Check if other employees received the same email and ask them to confirm they did not click.
- If any sensitive data may have been accessed, document it and consider notifying affected clients or partners as required by law.
- Scan the employee’s device with updated antivirus or endpoint protection if possible.
- Review and tighten any weak mail rules or forwarding setups that could have helped the attack.
Step 4: Recovery and Prevention
- Re enable the account once cleaned.
- Run a quick team reminder on phishing red flags.
- Consider stronger protections such as phishing resistant MFA methods for admin and finance accounts.
- Test your response process with a simulated incident every few months.
How KartHost Helps You Respond and Recover Faster
Our KloudEmail and Microsoft 365 management services include threat protection and archiving that often catch issues early. When something slips through, our Texas based team can jump on a ticket to help review logs, reset sessions, clean rules, and guide you through the admin consoles. Many clients on our VIP Care Plans let us handle the technical heavy lifting so they can focus on running their business.
Whether you host email with us or manage Microsoft 365 and Google Workspace yourself, one support ticket connects you with people who know these exact scenarios and can walk you through the right clicks.
Stay calm, act quickly, and treat every click as a learning opportunity. If this just happened to your team, log into the KartHost Customer Center right now and open a ticket. We are here to help you contain it and strengthen your setup.
