> ## Documentation Index
> Fetch the complete documentation index at: https://docs.petrasecurity.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Remediate an Account Compromise

> Step-by-step guide for handling and remediating compromised accounts in Petra

## Overview

The Remediation Actions panel guides you through the 6 steps of remediating an account compromise:

1. [Revoke Sessions and Lock Account](#step-1%3A-revoke-sessions-and-lock-account)
2. [Retract Phishing Emails](#step-2%3A-retract-phishing-emails)
3. [Disable Persistence Mechanisms](#step-3%3A-disable-persistence-mechanisms)
4. [Reset Password](#step-4%3A-reset-password)
5. [Re-enable Account](#step-5%3A-re-enable-account)
6. [Mark as Remediated](#step-6%3A-mark-as-remediated)

<Frame caption="Remediation Actions Panel">
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/FbukLCiw2zkqhqG8/images/remediation_actions_panel.png?fit=max&auto=format&n=FbukLCiw2zkqhqG8&q=85&s=b515746b92ada4b2d0f051ece06e56f5" width="3424" height="1996" data-path="images/remediation_actions_panel.png" />
</Frame>

### Step 1: Revoke Sessions and Lock Account

<Check>
  **Revoke Sessions and Lock Account** should be your first action when remediating a compromise
</Check>

In the **Remediation Actions panel**, click the **Revoke Sessions and Lock Account** button to immediately:

* Terminate all active user sessions
* Lock the compromised account
* Prevent further unauthorized access

<Info>
  **Revoke Sessions and Lock Account** works for all account types, including on-prem synced and
  hybrid accounts.
</Info>

### Step 2: Retract Phishing Emails

Similar phishing emails are identified automatically and can be moved to Deleted Items.

<Frame caption="Stop others from falling for the same phish">
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/FbukLCiw2zkqhqG8/images/similar_phish_retraction.png?fit=max&auto=format&n=FbukLCiw2zkqhqG8&q=85&s=ebb7c82433802136c4db5c5c645d8620" alt="Similar Phish Retraction" width="3174" height="1724" data-path="images/similar_phish_retraction.png" />
</Frame>

#### Mark as Phish

Petra tags the phishing email on the incident automatically in most cases. When it can't, you'll need to tag it yourself so that retraction, cross-tenant search, and reporting know which email is the phish.

To tag manually: open the incident, find the suspicious email in the Exchange Logs, hover over it, and click **Mark as Phish**. The email will show a **Phish** badge next to the subject line once it's tagged.

<Info>
  **Mark as Phish** tags the email as the phishing email for the incident. It does not remove the email from inboxes. Use the retraction button in Step 2 to move it to Deleted Items across the tenant, or [Cross-Tenant Phish Removal](#cross-tenant-phish-retraction) for matching emails across other tenants.
</Info>

#### Cross-tenant phish retraction

If you manage multiple tenants, Petra identifies matching phishing emails across all of your managed tenants and surfaces them in the **Cross-Tenant Phish** panel below the tagged phish in the incident's Remediation Actions panel. This panel shows each tenant where the same phish was found, along with the sender, subject, and affected mailboxes.

You can select individual emails or entire tenants for retraction. Clicking a tenant name opens that tenant's Email tab with the subject and sender filters pre-populated, so you can review before taking action.

<Frame caption="Cross-Tenant Phish Revocation in the Remediation Actions panel">
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/j96fj7AdhG81XnGx/images/cross-tenant-phish-revocation.png?fit=max&auto=format&n=j96fj7AdhG81XnGx&q=85&s=dfab44e1f6bfad62159b183f47b29738" alt="Cross-Tenant Phish Revocation" width="1982" height="830" data-path="images/cross-tenant-phish-revocation.png" />
</Frame>

<Tip>
  Spotted a phish in the wild that isn't tied to an incident and want to sweep it across every tenant you manage? See [Cross-Tenant Phish Removal](/remediation/cross-tenant-phish-removal) for the proactive, ad hoc flow.
</Tip>

### Step 3: Disable Persistence Mechanisms

Attackers often create persistence mechanisms to maintain access even after password changes. Petra identifies these mechanisms and lets you one-click disable them.

These include:

* Mail filter rules
* App registrations
* Service principals
* Malicious device registrations
* Phishing emails sent internally
* Phishing emails still in mailboxes in your environment

<Frame caption="Remediate inbox rules and app registrations">
  <img src="https://mintcdn.com/petrasecurity-7f411ce9/v2OWWC-gCEvr839N/images/inbox-rule-and-app-remediation.png?fit=max&auto=format&n=v2OWWC-gCEvr839N&q=85&s=f8c1543103e8df286a4e13b1d40dd3a0" alt="Remediate inbox rules and app registrations" width="2188" height="1214" data-path="images/inbox-rule-and-app-remediation.png" />
</Frame>

<Tip>
  All of these persistence mechanisms are auto-identified and can be removed in one click. Use the
  **Remediation Actions Panel** to remove them.
</Tip>

### Step 4: Reset Password

After removing all persistence mechanisms:

1. Click the "Reset Password" button. This will generate a new password string and apply it to the account. It will then show you that new password.
2. Communicate the new password securely to the user. We recommend calling them.

### Step 5: Re-enable Account

After resetting the password, you can re-enable the account.

### Step 6: Mark as Remediated

Once all remediation steps are complete:

1. Click "Mark as Remediated"
2. This changes the incident status to "Remediated"
3. The remediation panel will auto-hide for cleaner viewing

## Post-Remediation

After remediation, the incident page remains available for:

* Generating incident reports
* Exporting data to share with clients
* Reviewing the incident timeline and details
* Further investigation if needed

<Info>
  You can always expand the remediation panel again if you need to review or modify any remediation
  actions taken.
</Info>

<Tip>The Demo Tenant (Acme Corp) is a phenomenal place to see all of this in action.</Tip>
