Field Guides · During · account-takeover

Account takeover response

A privileged account is in someone else's hands. Cut the access, scope what they touched, decide whether the account is salvageable. The cuts are a sequence, not a checklist.

live use · L2

Disabling the account does not end the session. Resetting the password does not invalidate the token. Rotating the secret does not revoke the OAuth grant. Account takeover response is a sequence of cuts, in order, against every form of access the attacker may have established. Miss one and the attacker is still in.

The cuts are the easy part. The harder work is scoping what they did with it. The audit log is the truth. Read it. Read it again. Note what is missing. Note what is normal but suspicious in this context. Look for the things attackers do that legitimate users do not: a new service principal credential, a new app consent at midnight, a federation trust nobody requested, a refresh token still working from an IP no one recognises.

Most account-takeover response fails the same way. The team resets the password, declares it contained, and never checks the OAuth grants or the refresh tokens. The attacker walks straight back in through the door nobody closed.

The user is usually a victim, not a suspect. Treat them that way. They are also your fastest source of timeline information.

Checklist

0/350/27 critical

Cut the access

Revoke all active sessions for the accountCriticalDisabling the account is not enough. Existing tokens can survive.
Reset the account password and force MFA re-enrolmentCritical
Rotate any API tokens, OAuth grants, and app passwords issued by the accountCritical
Check the mailbox for forwarding rules, delegate access, and new linked appsCritical
Check for newly registered devices and MFA methods. Remove anything you do not recognise.Critical
Revoke OAuth refresh tokens estate-wide for the accountCriticalResetting the password does not invalidate an existing refresh token in most platforms.

Identity plane and federation

Check federation and SSO trusts for new or modified entriesCritical
Audit apps recently consented by the account (user-delegated) and any tenant-wide admin consents granted during the windowCritical
Check for new or modified privileged role assignments made by the accountCritical
Check for new service principal secrets, certificates, or app passwords created by the accountCritical
Check whether conditional-access bypass was used during the suspect window
Check cloud and SaaS audit logs for API key creation by the account

Scope the blast radius

Pull 90 days of sign-in history. Note unfamiliar IPs, geos, and user agents.Critical
Pull audit logs of actions performed by the account during the suspect windowCritical
Identify what data the account could access during the windowCritical
Check whether the account was used to reset, grant, or impersonate other accountsCritical
Check shared mailboxes, distribution groups, and delegated access
Check cloud resources, role assumptions, and IAM changesCritical
Check source repositories and CI/CD systems if the account had access thereCritical
Look for bulk export, download, or share events during the suspect windowCritical

Notify and decide

User contacted out-of-band to confirm the timeline and any phishCriticalPhone or in-person. Not through any channel the attacker might still own.
Legal briefed if data exposure is suspectedCritical
External counterparties contacted if the account was used for fraud or impersonationCritical
Decision made on whether to keep the user account or burn it
Incident recorded with timeline, scope, and remediationCritical

What actually breaks

The team understands that a password reset is not the fix. Sessions and tokens are.Critical
OAuth grants have been checked. Not assumed clean because the password was rotated.CriticalThis is the single most-missed step in account takeover response.
The user is treated as a victim, not a suspect. They are also your fastest source of timeline.Critical
Other accounts with the same role or device pattern are checked now, not afterCritical
Incident is not closed the moment access is cut. Scope is finished first.
The audit log is read carefully. Gaps and silences are treated as signal, not noise.

Strengthen

User enrolled in phishing-resistant MFA (hardware key or platform passkey)Critical
Conditional access policy reviewed for the role
Other accounts with the same role or device pattern checked for the same compromiseCritical
Detection tuned for the technique used so the next attempt fires earlierMaturity

Accepted operational risks

27 of 27 critical items unchecked.

Every unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it.

Revoke all active sessions for the accountCut the access
Reset the account password and force MFA re-enrolmentCut the access
Rotate any API tokens, OAuth grants, and app passwords issued by the accountCut the access
Check the mailbox for forwarding rules, delegate access, and new linked appsCut the access
Check for newly registered devices and MFA methods. Remove anything you do not recognise.Cut the access
Revoke OAuth refresh tokens estate-wide for the accountCut the access
Check federation and SSO trusts for new or modified entriesIdentity plane and federation
Audit apps recently consented by the account (user-delegated) and any tenant-wide admin consents granted during the windowIdentity plane and federation
Check for new or modified privileged role assignments made by the accountIdentity plane and federation
Check for new service principal secrets, certificates, or app passwords created by the accountIdentity plane and federation
Pull 90 days of sign-in history. Note unfamiliar IPs, geos, and user agents.Scope the blast radius
Pull audit logs of actions performed by the account during the suspect windowScope the blast radius
Identify what data the account could access during the windowScope the blast radius
Check whether the account was used to reset, grant, or impersonate other accountsScope the blast radius
Check cloud resources, role assumptions, and IAM changesScope the blast radius
Check source repositories and CI/CD systems if the account had access thereScope the blast radius
Look for bulk export, download, or share events during the suspect windowScope the blast radius
User contacted out-of-band to confirm the timeline and any phishNotify and decide
Legal briefed if data exposure is suspectedNotify and decide
External counterparties contacted if the account was used for fraud or impersonationNotify and decide
Incident recorded with timeline, scope, and remediationNotify and decide
The team understands that a password reset is not the fix. Sessions and tokens are.What actually breaks
OAuth grants have been checked. Not assumed clean because the password was rotated.What actually breaks
The user is treated as a victim, not a suspect. They are also your fastest source of timeline.What actually breaks
Other accounts with the same role or device pattern are checked now, not afterWhat actually breaks
User enrolled in phishing-resistant MFA (hardware key or platform passkey)Strengthen
Other accounts with the same role or device pattern checked for the same compromiseStrengthen