Think You've Been Hacked?

Don't panic. The steps you take in the first hour matter more than anything else. This guide covers the most common security incidents and exactly what to do right now.

Practical guidance for Australian businesses, aligned with OAIC notification requirements and cyber insurance obligations.

Emergency Response Find Your Scenario

The First Hour Is Everything

When a security incident happens, the natural reaction is to try to fix it as fast as possible — change passwords, delete suspicious files, restart machines. But many of these instinctive actions can make things significantly worse. They can destroy forensic evidence, alert the attacker that they have been discovered (causing them to accelerate), or leave persistence mechanisms in place that let them walk right back in.

The scenarios below cover the most common security incidents Australian businesses face. For each one, we explain what to look for, what not to do (this is just as important), and the immediate steps you should take. These are based on real incidents we have responded to — not theoretical advice.

If you are unsure what type of incident you are dealing with, or if it does not match a scenario below, contact us directly. We provide emergency incident response and can help you assess and contain the situation.

Severity

Critical
High
1

Ransomware Attack

Signs You'll See

Files are encrypted or inaccessible. A ransom note appears on screens demanding payment in cryptocurrency. File extensions have changed (e.g., .locked, .encrypted). Multiple users affected simultaneously.

Do NOT

  • × Do NOT attempt to decrypt files with unknown tools — you may destroy recovery options
  • × Do NOT turn off affected machines — this can destroy volatile forensic evidence in memory

Do This Now

  • Disconnect affected systems from the network immediately (pull the Ethernet cable, disable Wi-Fi) — but leave them powered on
  • Identify the scope — which systems, servers, and file shares are affected?
  • Check whether your backups are intact and accessible (verify they have not been encrypted too)
  • Contact your cyber insurer — most policies require notification within 24-72 hours
  • Engage your incident response team, or Eviant, to investigate the root cause and assist with safe recovery
Critical
2

Business Email Compromise (BEC)

Signs You'll See

Clients or staff report receiving suspicious emails from your accounts. Mailbox rules have been created that you did not set up (forwarding, auto-delete). Sent items contain messages you did not write. An invoice was paid to a changed bank account. Unusual sign-in activity in your email audit logs.

Do NOT

  • × Do NOT just change the password and assume it's resolved — attackers create persistence mechanisms
  • × Do NOT delete the suspicious emails — they are evidence needed for investigation
  • × Do NOT delay — if financial fraud is involved, contact your bank immediately to attempt transaction reversal

Do This Now

  • Reset the compromised account password immediately and revoke all active sessions
  • Check for and remove malicious mailbox rules (forwarding rules, auto-delete rules, inbox sweep rules)
  • Review OAuth/app consents — remove any apps you did not authorise
  • Check sign-in logs for unfamiliar locations, IP addresses, or devices
  • Notify anyone who may have received fraudulent emails from the compromised account
  • If financial transactions were redirected, contact your bank's fraud team within the hour
Critical
3

Phishing — Employee Clicked a Link

Signs You'll See

An employee reports clicking a link in a suspicious email or entering credentials on an unfamiliar page. They may have received a fake MFA prompt they approved. A login page looked slightly different from normal. They downloaded and opened an unexpected attachment.

Do NOT

  • × Do NOT ignore it because nothing 'seems wrong' — many attacks are silent initially
  • × Do NOT assume MFA protected you — modern phishing kits steal session tokens and bypass MFA entirely

Do This Now

  • Reset the employee's password immediately and revoke all active sessions across all platforms
  • Check for any new MFA methods added to the account that the employee did not register
  • Review sign-in logs for the past 24 hours — look for unfamiliar IPs or locations
  • If an attachment was opened, isolate the device from the network and run a full EDR scan
  • Check whether the employee's credentials are used on other systems (password reuse)
  • Review the original phishing email — was it sent to other employees as well?
High
4

Antivirus or EDR Alert

Signs You'll See

Your endpoint protection (antivirus, EDR) has flagged a detection — malware, a potentially unwanted program (PUP), or suspicious behaviour. The alert may show as quarantined, blocked, or requiring action. Multiple detections on the same device or across several devices.

Do NOT

  • × Do NOT just click 'quarantine' and assume it's handled — understand what was detected and how it got there
  • × Do NOT ignore repeated alerts on the same device — this often indicates ongoing compromise

Do This Now

  • Read the alert details — what was detected, where was it found, and what action was taken?
  • Check if the same detection has appeared on other devices in your environment
  • Isolate the affected device if the threat was not fully remediated (most EDR tools have network isolation)
  • Review how the malware arrived — was it an email attachment, a download, a USB drive, or lateral movement?
  • If the detection is an infostealer, treat all credentials saved in browsers on that device as compromised
  • Escalate if you see detections for tools like Cobalt Strike, Mimikatz, or remote access trojans — these indicate a serious compromise
High
5

Suspected Data Breach

Signs You'll See

Unusual large data transfers or downloads in your logs. Customer or employee data found exposed online. Notification from a third party that your data has appeared in a breach. Regulatory body or journalist contact about a potential exposure. Unexpected cloud storage access or sharing changes.

Do NOT

  • × Do NOT delay assessment — under the Australian Privacy Act, notifiable breaches must be reported to the OAIC within 30 days

Do This Now

  • Identify what data may have been accessed or exfiltrated — scope is the first priority
  • Preserve all relevant logs (access logs, cloud audit trails, email logs) before they rotate
  • Determine whether personal information is involved — this triggers notification obligations under the Privacy Act 1988
  • Engage your legal counsel and cyber insurer early — both need to be part of the response
  • Prepare to notify the OAIC if the breach is likely to result in serious harm to affected individuals
  • Document everything — your response process itself may be scrutinised
Critical
6

Infostealer Infection / Credentials on Dark Web

Signs You'll See

You have been notified that employee credentials have appeared in a dark web dump or threat intelligence feed. An employee's browser-saved passwords may have been stolen. Unusual login activity across multiple platforms from the same compromised user. Session hijacking — someone is logged into accounts without needing the password.

Do NOT

  • × Do NOT only reset the one password that was found — infostealers steal ALL credentials saved in browsers
  • × Do NOT assume MFA saved you — infostealers steal session cookies that bypass MFA completely
  • × Do NOT overlook personal devices — if an employee uses the same browser profile for work and personal accounts, both are compromised

Do This Now

  • Reset ALL passwords saved in the browser on the affected device — not just the one that was flagged
  • Invalidate all active sessions across cloud platforms (Microsoft 365, Google Workspace, SaaS apps)
  • Check for and remove any new OAuth app consents or MFA methods added to affected accounts
  • Wipe and reimage the affected device — infostealers often leave additional backdoors
  • Review whether the compromised credentials provide access to VPN, admin panels, or financial systems
  • Consider enrolling in ongoing dark web monitoring for your organisation's domains
High

Regardless of the Incident Type

No matter what type of security incident you are dealing with, these principles apply to every situation:

Preserve Evidence

Do not delete files, clear logs, or rebuild systems until the scope of the compromise is understood. Evidence you destroy now cannot be recovered, and it may be required by insurers, regulators, or law enforcement.

Contain, Then Investigate

The priority is to stop the bleeding — isolate affected systems, revoke compromised credentials, block known malicious IPs. Investigation comes second. You cannot investigate while the attacker is still active.

Notify Your Cyber Insurer Early

Most cyber insurance policies have strict notification timeframes (typically 24-72 hours). Late notification can void coverage. Your insurer may also have a pre-approved panel of incident response firms they require you to use.

Know Your Obligations

Under the Australian Privacy Act (Notifiable Data Breaches scheme), if personal information is involved and there is a risk of serious harm, you are legally required to notify the OAIC and affected individuals. The threshold for this is lower than most businesses expect.

Document Everything

Keep a timeline of what happened, when it was discovered, and every action taken in response. This log is critical for insurance claims, regulatory reporting, and preventing similar incidents in the future.

Emergency Incident Response

Need Help Right Now?

If you are currently dealing with a security incident, we can help. Eviant provides incident response services for Australian businesses — from initial triage and containment through to full forensic investigation and recovery.

Rapid Triage & Containment

We help you assess the situation, determine the scope of the compromise, and take immediate containment actions to stop the attack.

Digital Forensics & Root Cause

Disk, memory, and log analysis to determine exactly what happened, how the attacker got in, and what data was accessed.

Recovery & Hardening

Secure system restoration, credential resets, security control implementation, and guidance to prevent recurrence.

Insurance & Regulatory Support

We provide the documentation and evidence your insurer and regulators need, including breach notification support for OAIC reporting.

Contact Us Now Learn More About Our IR Services

Further Reading

Incident Response

My Email Was Hacked — What To Do

Step-by-step response for Microsoft 365 and Google Workspace account compromise, including MITM phishing that bypasses MFA.
Malware

Infostealer Malware — Credential Theft & Detection

How infostealers silently extract passwords and session cookies, why they bypass MFA, and how to detect them.
Social Engineering

ClickFix Attacks — Social Engineering Tricks

How fake error messages and CAPTCHA pages trick users into running malicious commands that install credential-stealing malware.
Compliance

Data Breach Notification Requirements

Your obligations under the Australian Privacy Act and GDPR when personal data is compromised, including OAIC notification timelines.

Prevention Is Cheaper Than Response

The best incident response is the one you never need. Our Small Business Security Baseline covers the controls that prevent the majority of these incidents from happening in the first place.

8 practical controls, aligned with the Essential Eight, designed for Australian businesses.

View the Security Baseline Get a Security Review

Experiencing a Security Incident?

Contact us now for emergency incident response. We'll help you contain, investigate, and recover.

Get Help Now security@eviant.com.au
Get In Touch