When a well-meaning user forwards a phishing email to the entire company, it’s a security fire drill waiting to happen. Here’s a breakdown of the immediate, permanent, and cultural fixes to handle the fallout and prevent it from ever happening again.

The ‘Is This Legit?’ Email: How One User’s Question Can Trigger a Company-Wide Crisis

It was 4:45 PM on a Friday. We were monitoring the final smoke tests after a painful deployment to our `prod-billing-api-02` cluster. The finish line was in sight. Then, my Teams notification chimed. It was a junior dev: “Hey, did you see this email from Carol in Accounting?” Attached was a screenshot. My heart sank. There it was, in all its glory: a classic credential harvesting email, forwarded by Carol to the `all-employees@techresolve.com` distribution list with the simple, innocent subject line: “Fwd: Is this legit?” The original subject was “Urgent: Action Required on Your Payroll Information.” I could already feel my weekend slipping away.

Why This Is More Than Just “User Error”

Before we grab the pitchforks, let’s get one thing straight. Carol wasn’t malicious. She was trying to be diligent. She saw something suspicious and, in the absence of a clear process, she did what seemed logical: she asked everyone. The real problem isn’t Carol; it’s that we, the tech and security teams, failed her. We gave her a locked door (`spam-filter-01`) but didn’t tell her where to turn in a suspicious key she found on the ground. The root cause is a process and training gap, not a people problem.

When this happens, you have two immediate problems:

• The original phishing email is now implicitly “vouched for” by an internal colleague, making it far more likely that people will click it.
• Your entire company is now distracted, with dozens of people “replying all” to say it’s a scam, creating a storm of noise that buries the actual risk.

The Fixes: From Firefighting to Fireproofing

Okay, the damage is done. People are clicking, and the clock is ticking. Here’s how we handle it, from the immediate panic to the long-term solution.

1. The Quick Fix: Stop the Bleeding (Your First 30 Minutes)

This is all about damage control. Your goal is to contain the threat and assess the blast radius immediately. No long-term strategy, just pure tactical response.

1. Search and Destroy the Email: You need to rip that email out of every single inbox in the company, right now. In Microsoft 365, this is a job for a Content Search and Purge. You don’t have time to ask people to delete it.

# PowerShell example for Exchange Online (Connect-ExchangeOnline first)
# Step 1: Find the message
$message = Get-MessageTrace -SenderAddress "scammer@evilcorp.com" -Subject "Urgent: Action Required" | Select-Object MessageId

# Step 2: Create a search for that specific message ID
New-ComplianceSearch -Name "PhishPurge-2023-10-27" -ExchangeLocation All -ContentMatchQuery "MessageID:$($message.MessageId)"

# Step 3: Start the search and then PURGE it
Start-ComplianceSearch -Identity "PhishPurge-2023-10-27"
New-ComplianceSearchAction -SearchName "PhishPurge-2023-10-27" -Purge -PurgeType HardDelete

2. Block the Attacker: While the search is running, get into your mail gateway (Defender, Proofpoint, etc.) and block the sender’s domain and any sending IP addresses you can identify from the email headers. It’s a hacky game of whack-a-mole, but it stops the immediate bleeding.
3. Identify the Clickers: This is crucial. Your firewall, DNS, or EDR logs are your best friends. Find out who clicked the link. Create a list of users and their machines.
4. Isolate and Communicate: For the four people who clicked, their machines are now compromised until proven otherwise. Isolate their devices from the network. Force a password reset on their accounts. Send a brief, calm email to the entire company: “You may have seen an email with the subject ‘Urgent: Action Required’. This was a phishing attempt. We have removed it from all mailboxes. Please do not click any links if you still see it.”

Pro Tip: Don’t name and shame. Never call out the users who clicked or the user who forwarded the email in a company-wide communication. It destroys trust and makes people afraid to report future mistakes.

2. The Permanent Fix: Building the Guard Rails

The fire is out. Now you need to fireproof the building. This involves implementing technical controls and processes that don’t rely on every single user being a security expert 100% of the time.

Technical Controls:

• Enable Safe Links/URL Rewriting: This is a non-negotiable feature in M365 Defender or other modern email gateways. It rewrites every link in an incoming email to route through a Microsoft (or other vendor) proxy. When a user clicks, the destination is scanned in real-time for malicious content. If it’s bad, the user is sent to a block page instead of the phishing site. It turns a potential disaster into a non-event.
• Create Mail Flow Rules: A simple but surprisingly effective control is to automatically prepend a warning to the subject line of all external emails.

Process Controls:

This is the most important part. You need to give users a big, red, easy-to-press “panic button.”

• Create a dedicated, easy-to-remember email address like security@yourcompany.com or phishing@yourcompany.com.
• Train users—relentlessly—that if they see a suspicious email, they should NOT forward it. Instead, they should create a new email to phishing@yourcompany.com and attach the suspicious email to it. This preserves the original headers, which are critical for your investigation, and prevents anyone from accidentally clicking the links.

3. The ‘Nuclear’ Option: Fixing the Culture

This is the hardest but most effective fix. You have to shift the culture from one of fear and blame to one of shared responsibility.

• Run Phishing Simulations: Sign up for a service like KnowBe4 or use the built-in M365 Attack Simulator. Send safe, controlled phishing emails to your own users. The people who click aren’t punished; they are automatically enrolled in a short, 5-minute training video on how to spot the red flags they missed. This provides immediate, contextual feedback.
• Practice Blameless Post-Mortems: After an incident like Carol’s, hold a review. The focus should be on the question, “How did our system allow this to happen?” not “What did Carol do wrong?” Did we lack a clear reporting channel? Was our training ineffective? The goal is to fix the process, not blame the person.

Warning: The moment you punish a user for reporting a security mistake, you’ve guaranteed the next person will hide their mistake instead. A culture of fear is a security team’s worst enemy. Treat your users as part of your sensor grid, not as liabilities.

In the end, the “Is this legit?” email isn’t a sign of a bad employee. It’s a sign of a good employee trying to help in a system that wasn’t designed to let them. By containing the immediate threat, hardening our systems, and—most importantly—building a culture of trust, we can turn these potential fire drills into simple, teachable moments.

Darian Vance

Lead Cloud Architect & DevOps Strategist

With over 12 years in system architecture and automation, Darian specializes in simplifying complex cloud infrastructures. An advocate for open-source solutions, he founded TechResolve to provide engineers with actionable, battle-tested troubleshooting guides and robust software alternatives.

🤖 Frequently Asked Questions