User clicked phishing link. What's your investigation flow?

Time-bounded investigation in 30 minutes: (1) Identify what they clicked — pull email from M365, extract URL. (2) Reputation check — VirusTotal, urlscan.io. (3) If credential phishing: did they enter credentials? Check ADFS/M365 sign-in logs for that user — any new sign-ins from unusual IPs/locations? (4) Force password reset + revoke active sessions immediately. (5) Check MFA status — if MFA enabled, attacker can't login with stolen creds (high-confidence containment). (6) Search inbox rules — common attacker action is creating auto-forward rule to exfil emails. (7) Check OAuth grants — attacker may have granted OAuth tokens to bypass password change. (8) Search M365 audit log for any other user activity from attacker IP. (9) Detection improvement — add the URL/domain to blocklist, search org-wide for other clicks.

Want the full explanation? This is the atomic answer suitable for quick interview prep. For the structured deep-dive — including code samples, strong-answer vs weak-answer notes, common follow-up questions, and how this fits the larger soc analyst topic — see the full Q&A on Networkers Home:

→ SOC Analyst Interview Hub — Full Q&A with deep context

How Networkers Home prepares students for this kind of question

This question reflects real interview rounds at Bangalore's top product, BFSI, and GCC cybersecurity teams. Networkers Home's flagship courses include mock interview sessions drilling exactly these question patterns, with feedback from interviewers who have hired for the role.

→ View the complete soc analyst interview prep hub
→ View the related Networkers Home course
→ Book a free career consultation

User clicked phishing link. What's your investigation flow?

How Networkers Home prepares students for this kind of question

Related Investigation questions

Q. How do you triage if a brute-force attack succeeded?