Inside an Email Breach: The 16-Step Response Plan We Use at Fifosys
Over the past year, the cybersecurity landscape has undergone rapid changes that many businesses have struggled to keep pace with. As I'm writing this, AWS has gone down (and taken half the internet with it), prompting immediate talk online to be "not another hack?!", rather than the more likely "it must be a bug with the recent update!" angle we would've gone with not too long ago.
All that truly highlights is how attacks are more targeted, more believable, and perhaps most worryingly, more successful.
Phishing emails are now written and powered by AI, credentials are traded in minutes, and what used to be random has become remarkably personal.
We used to talk about if a company would be targeted. We'd spent an hour a week hosting a roundtable talking about building your cyber defences in case you're targeted.
Now? It’s a matter of when you're due to have your moment in their crosshairs, and how quickly you'll respond to any damage caused.
The Current Landscape: Quieter, Smarter, Closer
Modern breaches don’t kick down the front door.
In the world we find ourselves in, there's admittedly more doors than ever before for a malicious outsider to try and get in, with a whole host of trusted channels, such as supplier systems, cloud logins and shared mailboxes on the agenda for an attacker to slip quietly through.
Once they're inside, it isn't 100mph and an immediate danger either. Instead, they observe.
By the time the signs appear, be it a rule change here or a missing message there, attackers may have already mapped your network or intercepted payments.
Across the UK, email remains the number-one entry point for compromise.
Microsoft 365 accounts are particularly attractive: one set of credentials can unlock not only mail but SharePoint, Teams, and company-wide data (which also brings into focus how much access an individual's account 1) has, and 2) should have.
The Human Factor
The rough reality is that technology is rarely the weakest link. People are.
Employees who reuse passwords or click under pressure shouldn't be excommunicated, tarred and feathered or shouted at till you're blue in the face. They're simply human, and some successful attempts can be very convincing.
Even the best-trained teams can be caught off guard on a bad day: a fake invoice from a familiar supplier, a “quick approval” request from a director travelling abroad, or an email from a new company you've signed up to work with are some very successful methods we've seen firsthand in recent months.
That’s why culture matters as much as controls.
Encouraging staff to report something that feels wrong, without blame or hesitation, can contain an attack before it spreads.
Every response plan begins with that moment of honesty: “I think something’s not right.”
What We’re Seeing Firsthand
At Fifosys, we’re seeing inbox compromises across every sector with zero impartiality or bias - finance, professional services, technolgy education, property... You name it at the minute, we're seeing more attempts than ever on a daily basisright now.
Some start with a single forwarded phishing email.
Others with a stolen password from an unrelated breach.
We’ve helped clients recover from accounts that were, unbeknownst to them, silently accessed for weeks or months at a time, with rules created to forward all invoices, and even whole conversations rewritten to divert payments.
The pattern is clear: breaches are getting faster, subtler, and more opportunistic. And while prevention tools are essential, speed of response determines the real impact.
Inside Our Breach Response
When an account is compromised, the goal is simple: contain, investigate, secure, and report. But the execution must be disciplined.
Our 16-step response plan has evolved from years of real-world incidents.
Here’s what it looks like in practice.
Containment starts with control.
The user’s password is reset immediately, and all active sessions are killed across Microsoft 365.
If multi-factor authentication isn’t already in place, or has been removed, it’s enforced on the spot.
We notify internal compliance teams early because if personal data may have been exposed, timing matters for ICO reporting.
Investigation begins while containment is still underway.
We scan the affected device for malware and pull sign-in logs from Azure AD, looking for unfamiliar IPs or foreign locations.
Those logs tell the story: where the attacker came from, when they logged in, and how long they stayed.
Evidence is exported, saved, and attached to the incident record; those 30-day logs vanish fast - and in a lot of cases, they could've been in your systems long before that 30-day window that logs default to.
Securing the mailbox is next.
We access it via Outlook Web Access, not the desktop app, to get a clean view.
Hidden rules are the giveaway here. So we're looking for messages diverted to RSS folders, copies forwarded to external accounts, or key correspondence quietly deleted.
We confirm which rules are legitimate, remove anything suspicious, and check whether the same phishing message reached other staff.
If it did, we purge it from their inboxes too.
Finally, report and reflect.
Once we're confident the breach is contained, we assess what data was accessible and advise whether an ICO notification or Action Fraud report is needed.
Every incident ends with a review: why did it happen, what could have prevented it, and how can we close that gap across the organisation? From start to finish, this can take at least a full day's worth of work to secure, from being alerted to the breach to resolution.
It’s methodical, yes, but in the middle of a breach, method is calm.
Preparedness in Practice
At the end of the day, tools support the process.
Every company has a different appetite for risk or is shaped by IT budgets. Still, we encourage everyone to have their environments continuously monitored for anomalous mail activity through Barracuda's proactive threat-detection and monitoring, giving us visibility to the issue before a user even realises something's wrong.
We have no delay in knowing any unwanted visitors are inside your system, and can get back to normal in a few minutes, rather than hours - all for a cost that's significantly lower than what a breach would be.
It's important to note that technology only works when paired with clear procedures and a team that knows what to do the moment an alert fires.
That’s why we document every step.
It’s also why we’re sharing it. We're transparent with our clients, and want to do the same so our clients, and even other organisations, can strengthen their own response playbooks.
Download: The Email Breach Response Checklist
We’ve distilled this process into a two-page printable checklist, the same framework our engineers use when responding to live incidents. It includes each of the 16 steps, tick-boxes for progress tracking, and fields for owner and completion date.
[Download the 16-Step Email Breach Response Plan]
Keep it close. You hope you’ll never need it, but when you do, it will save precious minutes.
Final Thought
Even one compromised email can expose an entire organisation.
Prevention helps, but response speed decides the damage.
If you’d like help reviewing or rehearsing your incident-response plan, our cybersecurity team can guide you through it, before the next “one click” becomes the next breach.