Phishing & BEC — Quick Reference Guide

First 30 minutes

• Reset the compromised account password immediately
• Revoke all active sessions — a password reset does not terminate sessions already in progress; use the admin console (Microsoft Entra ID or Google Workspace Admin)
• Check for email forwarding rules in the mail admin console — attackers set these up before discovery; they persist after password reset; check admin console, not account settings
• Check for inbox rules — rules that delete, move, or hide emails from view
• Revoke all OAuth third-party application authorizations on the compromised account
• Pull audit logs now — Microsoft 365 and Google Workspace audit logs expire on rolling retention windows; pull immediately and preserve unrecognized login events, IP addresses, and timestamps
• Notify your cyber insurer before beginning extended remediation

---

Within 24 hours

• Identify all systems connected to the compromised account: Teams, SharePoint, OneDrive, cloud CRM, cloud storage, any SaaS platform accessible via the same credentials or SSO
• Assess what personal information was in the inbox and connected systems:
  • Client correspondence (names, contact details, financial or transaction information)
  • HR or employee records (salaries, performance, personal details)
  • Invoices, contracts, and financial documents
  • Documents shared by email — attachments accumulate over years
• Establish the access timeline: when credentials were obtained, earliest evidence of login, when the account was fully secured including forwarding rules and OAuth revocations
• Check sent mail for phishing emails sent to your contacts using the compromised account
• Enable MFA on the compromised account and all accounts that did not have it in place
• Run your ClearBreach RROSH assessment — do not wait for forensic results

---

Within 72 hours

• Complete your RROSH assessment and review your verdict
• If PIPEDA RROSH is met: file OPC Breach Report as soon as feasible — do not delay
• If Alberta PIPA applies and RROSH is met: notify OIPC Alberta (breachnotice@oipc.ab.ca) and affected individuals simultaneously
• If BC PIPA applies (BC residents' personal information was in the inbox) and RROSH is met: notify OIPC BC
• Send individual notifications directly — do not substitute a website notice for direct notification
• If BEC resulted in financial fraud: report to your financial institution and insurer on their required timelines — parallel to, not instead of, privacy reporting
• Begin populating your Internal Incident Record with all actions taken and timestamps

---

Ongoing — until resolution

• Monitor for signs of continued access — forwarding rules and OAuth apps can be re-created or re-authorized
• Update your Internal Incident Record as scope assessment develops
• Reassess RROSH if new facts materially expand the confirmed breach scope
• Retain all records for 24 months minimum from breach start date

---

Alberta PIPA — specific steps

• Notify OIPC Alberta and affected individuals simultaneously — this triggers the streamlined review process and a private closing letter rather than a public investigation
• Complete the official OIPC Alberta Notification Form — do not submit an informal letter
• Attach the AB PIPA Individual Notice (s.19.1) to your OIPC Alberta submission (Section D)
• Submit by email to breachnotice@oipc.ab.ca

---

MSPs — if managing this for a client

• Execute email containment steps immediately if you have admin access: session revocation, forwarding rule audit, OAuth review, audit log pull — do not wait for client direction on these time-sensitive steps
• If the phishing attack targeted your MSP credentials and used your access to reach the client environment, you are a direct party to the breach — document this determination clearly
• Confirm your service agreement before acting on the client's behalf for regulatory notification
• Run a ClearBreach assessment under your MSP account for the affected client organization before advising them on obligations