Category: Incident Response
Applies to: SOC Analysts, Help Desk, IR Teams
Last reviewed: 2025
Overview
This playbook covers response to phishing email reports — from initial user report through investigation, containment, and user notification. Phishing is the leading initial access vector. Fast response reduces credential compromise and malware execution.
Phase 1 — Initial Report & Triage
Goal: Quickly determine if the reported email is malicious and whether any user clicked or submitted credentials.
- ☐ Receive report via email security tool alert, user report, or helpdesk ticket
- ☐ Retrieve the original email (headers, body, attachments) — do NOT click links
- ☐ Extract key indicators: sender address, reply-to, subject line, links, attachments
- ☐ Check sender domain: new domain? lookalike? spoofed brand?
- ☐ Analyze links with URL sandbox (URLScan.io, VirusTotal, Any.run)
- ☐ Analyze attachments in sandbox if present
- ☐ Check email gateway logs — how many mailboxes received this email?
- ☐ Determine: did any user click the link or open the attachment?
- ☐ Determine: did any user submit credentials on a linked page?
- ☐ Assign severity:
- P1 — Credential submission confirmed or malware executed
- P2 — Link clicked, no confirmed submission
- P3 — Email received, no interaction
Phase 2 — Containment
Goal: Stop further exposure from this campaign.
- ☐ Delete or quarantine the email from all affected mailboxes (use email admin portal)
- ☐ Block sender domain and IP at email gateway
- ☐ Block malicious URLs at proxy/firewall/DNS
- ☐ Block malicious file hashes in EDR
- ☐ If credential submission confirmed:
- ☐ Force password reset for affected user(s) immediately
- ☐ Revoke all active sessions for affected accounts (M365, Google, SSO)
- ☐ Disable MFA app if MFA fatigue was used and re-enroll
- ☐ If malware execution confirmed: escalate to malware IR playbook
Phase 3 — Investigation
Goal: Confirm full scope and determine if the incident escalates beyond phishing.
- ☐ Review all mailboxes that received the email
- ☐ Review email gateway logs for related campaigns (same sender infrastructure)
- ☐ Review proxy/DNS logs for any connections to the malicious URL
- ☐ For any users who clicked:
- ☐ Review EDR for process execution on their endpoint
- ☐ Check for browser-saved credential sync
- ☐ Review sign-in logs for impossible travel or new device logins
- ☐ Check for email forwarding rules set on the mailbox (common post-phish persistence)
- ☐ Check for OAuth application consent grants
- ☐ Identify if this is a targeted (spear phishing) or bulk campaign
- ☐ Check threat intel for known campaign attribution
Phase 4 — Eradication & Recovery
- ☐ Confirm all malicious emails purged from all mailboxes
- ☐ Confirm all blocked indicators are active at all enforcement points
- ☐ Remove any mailbox rules, delegations, or OAuth grants created by attacker
- ☐ Confirm affected user credentials fully reset and sessions revoked
- ☐ Re-enroll MFA for affected users
- ☐ Brief affected users on what happened and what to watch for
Phase 5 — Post-Incident Review
- ☐ Document full timeline: report received → contained → recovered
- ☐ Identify why the email bypassed existing filters
- ☐ Review and tune email gateway rules based on this campaign
- ☐ Update phishing awareness training if a new technique was used
- ☐ Submit IOCs to threat intel platform / sharing community
Phishing Email Analysis Checklist
Check Tool URL reputation VirusTotal, URLScan.io Domain age/registration WHOIS, DomainTools Email header analysis MXToolbox, manual review Attachment sandbox Any.run, Hybrid Analysis Screenshot of phishing page URLScan.io screenshotCommon Phishing Indicators
- Sender domain registered within last 30 days
- Display name matches trusted brand but domain doesn't
- Urgency language: "Your account will be suspended", "Immediate action required"
- Link destination domain doesn't match displayed text
- HTML attachment that renders a fake login page
- QR code directing to credential harvesting page
- Attachment: Office document with macro prompt, password-protected ZIP