Staff Clicked a Phishing Link? Do This in the Next 30 Minutes

February 2026 · 7 min read · Email Security

"I've been hacked" Slack message at 3pm. Here's the exact 10-step playbook we use for 30+ SMEs in Pretoria when credentials are compromised.

Isolate device: Unplug ethernet cable, disable Wi-Fi. Don't shut down — you need logs.
Force sign-out all sessions: Azure AD > Users > [User] > "Revoke sessions". Kills access on all devices.
Reset password: Use a different, clean device. Make it 16+ characters. No variations of old password.
Enable MFA if not already: SMS codes can be intercepted. Use Authenticator app with number matching.
Check for inbox rules: Outlook > Rules > Look for "forward to external" or "delete". Attackers hide here.

Audit sign-in logs: Azure AD > Sign-ins > Filter "Failure" + look for IPs from Nigeria, Russia, China.
Check mailbox audit: Did they send mail? Compliance > Audit > Search "Sent Items" for last 24h.
Scan device: Full EDR scan with SentinelOne/Defender. Don't reconnect to network until clean.
Review Safe Links: Defender > Submissions > Check if malicious URL was clicked. Block domain tenant-wide.
Document timeline: Who clicked, when, what they entered. Needed for POPIA breach report if data leaked.

Next 24 Hours: Report + Harden

Notify bank: If finance/payroll was accessed, alert bank to watch for fraudulent payments.
POPIA: Report to Information Regulator within 72hrs if personal info was accessed.
Retrain staff: Share screenshot of the phishing email. Run KnowBe4 training.
Add domain to blocklist: Defender > Tenant Allow/Block Lists > Block the sender domain.

Disable legacy auth: Azure AD > Security > Conditional Access. Blocks 99% of password spray attacks.
Enable MFA number matching: Stops MFA fatigue attacks where users approve random prompts.
Safe Attachments: Defender > Policies > Safe Attachments > Turn on for all mailboxes. Sandboxes files.

Print it. Stick it on your IT wall. Give to all staff.