Phishing attacks are no longer treated only as an email security problem. After a successful attempt, the services accessed by the attacker, the tokens used and the device traces left behind define the real scope of the incident.
Identity security teams are therefore combining MFA status, geographic inconsistencies, new device signals and access to sensitive applications in a single incident context.
Tracking the attack chain after identity compromise, rather than stopping at the phishing message, can meaningfully shorten response time.