Scenario 1: M365 Tenant Compromise
An attacker gains Global Admin access to your Microsoft 365 tenant. They can read emails, access SharePoint, and create backdoor accounts.
Step 1: Contain (Hour 0-2)
- Revoke Sessions: Force sign-out for all users (Azure AD > Users > Revoke Sessions).
- Disable Compromised Accounts: Immediately disable any admin accounts that may be compromised.
- Enable Conditional Access: Block sign-ins from suspicious locations or require MFA everywhere.
- Review OAuth Apps: Check Enterprise Applications for suspicious third-party apps.
Step 2: Investigate (Hour 2-24)
- Audit Logs: Review the Unified Audit Log for the past 90 days. Look for unusual sign-ins, mailbox rule changes, and mass file downloads.
- Mailbox Rules: Check for forwarding rules (Get-InboxRule PowerShell command).
- eDiscovery: If data was exfiltrated, use eDiscovery to identify what was accessed.
- Azure AD Logs: Check for new users, role assignments, or app registrations.
Step 3: Remediate (Day 2-7)
- Reset Passwords: Force password reset for all admin accounts (and ideally all users).
- Revoke Refresh Tokens: Use Azure AD to revoke all refresh tokens.
- Enable MFA: Enforce MFA for all users, especially admins.
- Remove Backdoors: Delete any suspicious user accounts, apps, or service principals.
Scenario 2: Salesforce Data Exfiltration
An attacker uses a compromised admin account to export your entire customer database via Reports or Data Loader.
Immediate Actions
- Freeze the compromised user account
- Check "Login History" for suspicious IPs
- Review "Setup Audit Trail" for config changes
- Check "Report Export" logs for mass data downloads
What to Look For
- Large report exports (especially of Contact/Lead/Account objects)
- Data Loader API activity from unknown IPs
- New API integrations or Connected Apps
- Changes to permission sets or profiles
OAuth Token Revocation Guide
If a third-party OAuth app is compromised, you need to revoke its access immediately.
Microsoft 365 / Azure AD
- Go to Azure AD > Enterprise Applications
- Find the suspicious app
- Click Properties > Enabled for users to sign-in? = No
- Go to Permissions and revoke all consents
- Optionally, delete the app entirely
Google Workspace
- Go to Admin Console > Security > API Controls
- Click App Access Control
- Find the app and click Block Access
- Notify affected users to revoke the app from their personal accounts
Slack
- Go to Settings & Administration > Manage Apps
- Find the suspicious app
- Click Remove App
- Check Audit Logs to see what data the app accessed
Frequently Asked Questions
How do I know if my M365 tenant was breached?
Check the Microsoft 365 Unified Audit Log for suspicious sign-ins (especially from unexpected locations), new OAuth app consents, mailbox rule changes, and mass file downloads. Use tools like Hawk or Cloud App Security to automate detection.
What should I do if a third-party OAuth app is compromised?
Immediately revoke the OAuth tokens for that app. In M365, go to Azure AD > Enterprise Applications > find the app > revoke permissions. In Google Workspace, go to Security > API Controls > App Access Control. Then notify the vendor and affected users.
Can I recover deleted data from Salesforce after a breach?
Salesforce retains deleted records in the Recycle Bin for 15 days (or 25 for certain editions). After that, you'll need to restore from a backup. If you have Data Recovery Service enabled, Salesforce can restore data for up to 90 days.
Need SaaS Security Expertise?
SaaS breaches require platform-specific knowledge. Find IR firms that specialize in M365, Google Workspace, Salesforce, and other cloud platforms.