Active identity compromise? Speak with an incident responder now. Call 1 (833) 562-5273 Request Help

Identity Incident Response

24/7 Emergency Hotline for identity incident response: 1 (833) 562-5273

If access is actively compromised: the first hour should focus on session containment, privilege review, and log preservation. Lockard Security helps you regain control without destroying evidence needed for legal, insurance, or compliance.

Identity incident response is the structured process of detecting, containing, and investigating account takeover, MFA bypass, admin compromise, and unauthorized access across identity providers and SaaS platforms. In modern breaches, identity is often the entry point and the control plane. Restoring trust in identities is required before systems are truly safe.

Identity incident response for account takeover and admin compromise in cloud identity platforms — Identity incident response focused on regaining control of accounts, privileges, and authentication paths.

On this page

What identity incidents are
Common identity compromise scenarios
High-signal indicators and IOCs
Typical identity incident timeline
Our identity incident response process
Platforms we investigate
First-hour containment checklist
Hardening checklist and best practices
FAQ
24/7 identity incident response help

What Identity Incidents Are

An identity incident occurs when an attacker gains access to a trusted identity and uses that access to read data, change configurations, create persistence, or move laterally. These incidents commonly involve cloud identity platforms, email, and SaaS admin consoles. Identity incidents often look like normal activity until you correlate sign-ins, device posture, session tokens, and administrative actions.

Identity incidents frequently overlap with other incident types, such as business email compromise, insider threat investigations, and ransomware intrusions. If identity is still compromised, cleanup and recovery can fail or the attacker can return.

Incident response services Business email compromise Digital forensics Ransomware response

Common Identity Compromise Scenarios

Account takeover

Stolen credentials used to access email, SaaS apps, file storage, and business systems.

MFA bypass and session token theft

Attackers capture MFA prompts, steal refresh tokens, or reuse sessions to avoid repeated authentication.

Admin compromise

Global admin or privileged roles used to create accounts, disable security controls, and establish persistence.

OAuth abuse

Malicious or risky OAuth apps granted access to email or files, enabling long-term data access.

Mailbox rule abuse

Rules hide replies, forward messages externally, and intercept invoices or payment requests.

SSO compromise

One identity provider access unlocks many applications, including CRM, finance, and HR systems.

Key takeaway: identity incident response is not only password resets. You must identify how the attacker maintained access, what privileges were used, and what actions were performed.

High-Signal Indicators And IOCs

Identity incident response is driven by audit trails. The most reliable indicators come from admin logs, sign-in logs, email audit logs, and changes to security posture. Below are high-signal findings we hunt for.

Sign-in indicators

Unfamiliar device registrations, new browsers, or sudden sign-in pattern changes
Impossible travel or unusual geographic access
Repeated MFA prompts or unexpected MFA re-enrollment
Sign-ins from residential VPNs, hosting providers, or suspicious autonomous systems

Privilege and admin indicators

New privileged role assignments or privilege escalation through group membership changes
Security control changes: conditional access edits, MFA policy changes, logging changes, or exclusions
New admin users, new service principals, or unusual consent grants
Password resets performed outside normal workflows

Email and collaboration indicators

New mailbox forwarding, delegation, or inbox rules
Bulk exports or unusual access to mailbox content
External sharing links created for sensitive files or folders
Unusual file downloads from SharePoint, OneDrive, Google Drive, or Dropbox

Typical Identity Incident Timeline

Identity incidents often progress in predictable phases. Attackers aim to establish durable access before defenders notice. Containment should happen as soon as you confirm suspicious access, even if you are still investigating.

Phase 1: Access obtained

Credentials phished, stolen, reused, purchased, or captured through adversary-in-the-middle methods.

Phase 2: Persistence established

Tokens, OAuth grants, mailbox rules, device registration, or new accounts used to maintain access.

Phase 3: Privilege expansion

Role assignments, admin access, group changes, or abuse of legacy accounts and service principals.

Phase 4: Impact actions

Data theft, invoice fraud, SaaS compromise, lateral movement, or enabling ransomware stages.

Our Identity Incident Response Process

Lockard Security follows a structured identity incident response process designed to regain control quickly, preserve evidence, and produce clear findings you can use for executive decisions, cyber insurance, and legal response.

1) Rapid triage and containment

Confirm compromised identities, revoke sessions, and restrict access while preserving the audit trail.

2) Evidence preservation

Secure sign-in logs, admin logs, audit logs, and mailbox artifacts before retention windows expire.

3) Scoping and timeline

Determine when access began, what accounts were used, what privileges changed, and what data was accessed.

4) Threat removal

Remove persistence paths such as OAuth apps, hidden rules, risky devices, and unauthorized admin users.

5) Recovery and validation

Reset credentials safely, enforce MFA, validate policies, and confirm the attacker is fully removed.

6) Reporting and hardening roadmap

Deliver clear findings plus prioritized identity hardening steps tied to your platform and staffing.

Platforms We Commonly Investigate

Identity incident response requires end-to-end visibility. We commonly support environments that include:

Microsoft: Microsoft 365, Exchange Online, SharePoint, OneDrive, Entra ID, Defender, Purview audit
Google: Google Workspace, Gmail audit logs, Drive audit logs, Admin console
Identity providers: Okta, Duo, conditional access, SSO integrations
Endpoints: Windows, macOS, Linux, EDR telemetry tied to identity activity
Cloud: AWS, Azure, GCP audit trails and IAM activity
Collaboration: Slack, Teams, Zoom, external guest access and sharing logs

First-Hour Identity Containment Checklist

If you suspect account takeover or admin compromise, these actions typically reduce risk quickly. Execute changes carefully and document each step for later investigation.

Revoke active sessions and refresh tokens for suspected accounts
Disable or restrict compromised accounts, starting with privileged identities
Review and remove unknown OAuth grants and risky app consents
Audit privileged role assignments and remove unauthorized access
Review mailbox rules, forwarding, delegation, and external sharing links
Preserve sign-in logs, admin logs, audit logs, and email activity logs

If you are not sure what to do first: call the hotline. We can guide containment immediately while protecting evidence needed for investigation.

Identity Hardening Checklist And Best Practices

Identity security is layered. These controls consistently reduce account takeover risk and limit blast radius when compromise happens.

Authentication and access

Enforce MFA for all users, especially administrators and remote access users
Use least privilege and reduce standing admin rights
Alert on new admin role assignments and risky sign-ins
Disable legacy authentication and restrict high-risk protocols where possible

Visibility and retention

Centralize identity and audit logs with strong retention
Enable alerting for OAuth grants, mailbox rules, and conditional access changes
Monitor external sharing, bulk downloads, and unusual data access patterns

Operational controls

Require change control for identity policy changes
Use break-glass accounts with strong protections and strict monitoring
Run regular access reviews for privileged roles and sensitive apps

Identity Incident Response FAQ

Is this the same as business email compromise?

Sometimes. Business email compromise is a common outcome of identity compromise, but identity incidents can impact many systems beyond email, including SaaS apps, cloud IAM, VPN access, and administrative consoles.

Should we reset all passwords immediately?

Not always first. If tokens, OAuth access, or mailbox rules remain, an attacker can retain access even after password resets. We typically prioritize session containment, privilege review, and persistence removal before broad credential resets.

How fast can you help?

Call the hotline if compromise is active. We can guide containment immediately while beginning audit log preservation and timeline building.

24/7 Identity Incident Response Help

If you suspect account takeover, MFA bypass, admin compromise, or unauthorized access to Microsoft 365, Google Workspace, or your identity provider, contact us immediately. The faster you contain access, the less impact you typically absorb.

24/7 Emergency Hotline: 1 (833) 562-5273
Email: [email protected]
Request Identity Incident Response

If you are still in the suspicious stage, we can help validate whether you are seeing pre-compromise behavior and prevent deeper impact.