⚠ First — what NOT to do
- Don't panic and shut everything down. Powering off destroys volatile evidence in memory that investigators need.
- Don't announce it publicly — not to all staff, not on social media. If the attacker is inside, they'll accelerate.
- Don't start deleting suspicious files. You're destroying evidence. Leave everything as-is.
- Don't try to "hack them back." It's illegal and counterproductive.
- Don't wipe or reimage machines yet. Forensic analysis needs the original state.
Look for the obvious signs
These are the most common indicators that something is wrong. You don't need to be technical — just observe.
- Employees locked out of accounts unexpectedly — especially multiple people at once
- Unfamiliar user accounts appearing in your systems or Active Directory
- Files renamed, encrypted, or missing — or a ransom note on screens
- MFA prompts that nobody triggered (someone is trying to log in as your staff)
- Security tools disabled — antivirus uninstalled, EDR stopped, firewall rules changed
- Unusual network slowness — could indicate data being exfiltrated
- Emails sent from your domain that nobody wrote (check your sent folder and bounce-backs)
- Strange processes running in Task Manager consuming CPU or network
How many did you check? Even one confirmed sign warrants moving to Step 2. Don't wait for certainty — by the time you're certain, it's usually worse than you think.
Check your email environment
Email compromise (BEC) is the most common attack in the Middle East. Check this first — it takes 5 minutes.
- Mailbox forwarding rules — In M365 Admin → Exchange → Mail flow → look for rules forwarding to external addresses you don't recognise
- Sign-in logs — Azure AD → Sign-ins → look for logins from unusual countries, IPs, or at unusual hours
- OAuth apps — Azure AD → Enterprise Applications → look for apps you didn't authorise (attackers use these for persistent access)
- New admin accounts — Check if any Global Admin or Exchange Admin roles were granted recently
If you find a forwarding rule sending emails to an address you don't recognise — this is a confirmed compromise. Don't delete the rule yet (it's evidence). Move to Step 4 immediately.
Check your network and endpoints
Look at what's happening on your network and your most critical systems.
- Firewall logs — Look for repeated outbound connections to the same IP, especially on ports 443 or 80 during off-hours
- Large outbound transfers — Unusual amounts of data leaving your network (potential exfiltration)
- Connections to unusual countries — If you don't do business in Eastern Europe, Russia, or certain Asian countries, connections there are suspicious
- New services on servers — In Windows Event Viewer, check Event ID 7045 for services you didn't install
- Scheduled tasks — Open Task Scheduler on critical servers and look for tasks you don't recognise
Don't have a firewall dashboard? Check with your IT team or ISP. If you have an EDR tool (CrowdStrike, Defender, SentinelOne), check its console for alerts or detections — they may have caught something already.
Contain what you can — carefully
If you've found something suspicious, take these containment steps. Do them in order.
- Isolate the affected machine — Unplug the ethernet cable or disable WiFi. Do NOT power it off (memory evidence is lost on shutdown).
- Disable compromised accounts — In Active Directory or Azure AD, disable (don't delete) any accounts you know are compromised.
- Block the suspicious IP — If you identified an attacker's IP from firewall logs, block it at the firewall.
- Reset passwords for any accounts that showed suspicious activity. Start with admin and privileged accounts.
- Revoke active sessions — In Azure AD, revoke all sessions for affected accounts (they can still be logged in even after password change).
Important: Only contain what you're confident about. Disconnecting the wrong server can cause more business disruption than the attack itself. When in doubt, isolate and observe — don't delete or destroy.
Document everything
From this moment forward, write down everything. This matters for insurance, legal, regulatory, and investigation purposes.
- Timeline — When did you first notice something? What time? What did you see?
- Screenshots — Screenshot every suspicious finding before touching anything
- Actions taken — Log every containment action with timestamp and who did it
- Affected systems — List every machine, account, or system that seems involved
- Business impact — What services are down? What data might be affected? Who is impacted?
Use a shared document (Google Doc or similar) as your incident log. Timestamp every entry. This document becomes the foundation for any investigation, insurance claim, or regulatory notification.
Where do you stand?
Confirmed breach
You found evidence: ransomware, forwarding rules, compromised accounts, data exfiltration. You need professional incident response — now.
Suspicious but uncertain
Something doesn't feel right but you can't confirm it. A compromise assessment would give you a definitive answer.
False alarm
Everything checks out clean. Good — but this is a wake-up call. Consider an IR readiness assessment so you're prepared next time.
Not sure what to look for
That's okay. Most organisations don't have the tools or expertise to investigate themselves. That's what incident response firms exist for.
This guide is free because we believe every organisation deserves to know what to do in a crisis — whether they work with us or not. If you do need help, our team is available around the clock.
Talk to our team Back to Arqen.com