Office 365 Security Incident Response

Summary: This solution tells you what the indicators are for the most common cybersecurity attacks in Office 365, how to positively confirm any given attack, and how to respond to it.


Not all cyberattacks can be thwarted. Attackers are constantly looking for new weaknesses in your defensive strategy or they are exploiting old ones. Knowing how to recognize an attack allows you to respond to it faster, which shortens the duration of the security incident.

This series of article helps you understand what a particular type of attack might look like in Office 365 and gives you steps you can take to respond. They are quick entry points to understanding:

  • What the attack is and how it works.
  • What signs, called indicators of compromise (IOC), to look for and how to look for them.
  • How to positively confirm the attack.
  • Steps to take to cut off the attack and better protect your organization in the future.
  • Links to in-depth information on each attack type.

Check back here monthly as more articles will be added over time.

Detect and remediate articles

Incident response articles

Secure Office 365 like a cybersecurity pro

Your Office 365 subscription comes with a powerful set of security capabilities that you can use to protect your data and your users. Use the Office 365 security roadmap: Top priorities for the first 30 days, 90 days, and beyond to implement Microsoft recommended best practices for securing your Office 365 tenant.

  • Tasks to accomplish in the first 30 days. These have immediate affect and are low-impact to your users.
  • Tasks to accomplish in 90 days. These take a bit more time to plan and implement but greatly improve your security posture
  • Beyond 90 days. These enhancements build in your first 90 days work.