Incident Response Playbook – Phishing Investigation

Incident Response Playbook - Phishing Investigation

Incident Response Playbook – Phishing Investigation

Every organization faces a cyberattack, and phishing is a predominant method often employed by attackers in the wild to carry out the attack successfully. There are many detection and prevention solutions available on the market that help contain or prevent phishing attacks, like Microsoft Defender Office 365, Mimecast, Cisco, Darktrace ,etc. Though we have many products on the market, it is still very important to analyze those emails and confirm whether they are true positive or false positive, as we cannot rely on the verdict given by the email security products. This is where blue teamers or the SOC team play an important role in shaping the phishing protection landscape of an organization through proper whitelisting of domains, detection and analysis of phishing emails, etc. Organizations often avail services from third parties for SOC services as they provide in-depth analysis of the phishing email and take preventive actions, thereby making their clients cyber-proof and secure. But still, a lot of organizations lack incident response mechanisms on how to react to phishing attacks and other cyberattacks. In this article, we will discuss the incident response playbook for phishing attacks, which covers all the aspects of incident response like preparation, detection, analysis, containment, eradication, discovery, and post-incident.


  • Instruction in the handling of phishing, spear phishing, and whale phishing incidents for the Security Operations team and resolver groups.
  • Walkthroughs and simulations of incidents involving participants in the incident response process.
  • Regularly review and update the incident response procedures and playbooks.
  • Incident avoidance by the implementation of stringent online and email filtering regulations (using proxy services like Zscaler). To help the user better determine the email’s origins, they can additionally add tags to the subject line if it originates from an external domain.


  • Event discovered by the end user following their click on a phishing link, which they then report.
  • Using the ticketing tool, the ticketing staff will report an occurrence.
  • SOC alert or notification: This type of alert is set up to go off in response to any suspicious emails that are flagged as phishing by anti-phishing tools like as Office 365, Mimecast, Cisco, Darktrace, etc. It is triggered by rules.
  • Notification of any suspicious activity (such as suspicious emails or other activities) from client users by a third party or external party. In this scenario, end users can notify the SOC team about the situation by using the ticketing tool.
  • started with a different playbook from which the SOC team may confirm and go deeper into other instances that occurred throughout the inquiry, such as credential stealing and password spray assaults.


  • The occurrence Management Severity Matrix can be used to assist in determining the severity level of an occurrence. To take charge of the issue, get in touch with the MIM manager if the severity rating is serious or extreme.
  • Review the email security events of the accounts, like

Examine the account’s email security events, such as Identifying the different external emails and domains that are a part of the activity.Examine the external IPs’ reputations for the phishing attack that was detected.Verify whether this is related to any internal phishing initiative.Verify whether any user has clicked on a URL that email security tools have labeled as phishing. Verify the reputation of the URL using free and open-source programs such as Abuse IPDB, Dshield, IBM Exchange, IPVOID, and virus total.Examine the event payloads to determine whether the user has set up any questionable forwarding rules for their inbox or if the internal user has sent several questionable spam or phishing emails to both external and internal recipients. If so, there may have been account compromise. Obtain the host’s details from the destination and verify that it is operational.Examine the systems’ malware infestation to determine whether any malware was downloaded as a result of phishing attempts.

  • Determine the root cause.

Examine the logs.Examine the user/source IP’s previous logs to see if any other questionable incidents have been noted.Verify whether the email security solution has blocked the suspect website.Check if that external IP was blocked or not blocked at the firewalls.Verify whether the sender is associated with the company through third or fourth parties to ensure the message did not originate from a known compromised email address.Examine the signing behavior of the person who provided the login information or downloaded any payloads, and keep an eye out for any unusual login activity.

  • Investigate the impact.
  • Verify compromised systems are functioning normally by conducting an audit on any host or user impacted by spear phishing, phishing, or whale-phishing attacks to make sure everything is running as it should. Any changes to permissions or configuration should be closely monitored..
  • Recommendations for PhishingUsers should immediately change their AD passwords if they have clicked any links within the phishing emails. Block the domain as well as the original IP address.If the email address does not belong to a reputable vendor, block the sender. Send staff awareness emails educating and informing them about the phishing assault or campaign.If it is a phishing effort, remove all of the recipients’ phishing emails from their inboxes.If the phishing email contains any malware, check all recipient hosts for infections and eliminate them. All emails with harmful URLs in the body should be blocked. The mail needs to be removed from the mailbox if there are numerous recipients. Should the email originate from a compromised vendor, you should notify them of the phishing attempt to the security team or IT team of the vendor.
  • Store all evidence. This can include, but is not limited to:A list of all the attachments and links that were sent to you via email An inventory of every malevolent attacker’s IPA list of the impacted hosts and usersA list of all external email addresses that are harmful.


  • By examining the logs, the email security team will be able to determine which users are impacted.
  • Give the security team access to mail header data so they can conduct additional analysis.
  • Temporarily disable the impacted mailboxes, or work with the AD staff to disable the user IDs.
  • Upon request from the security team, provide any further information that is needed.
  • Disconnect the compromised servers and prevent them from being accessed via the network if a server is the target of an attack.
  • Identify the IP addresses responsible for the phishing attempt by examining firewall logs or network team inputs.
  • Make a firewall rule to prevent access to and from these IP addresses from outside the system.
  • In order to prevent unauthorized user system connections, enable the dot1x functionality in the Office LAN environment.
  • To maintain the most recent version on the network devices.
  • The Antivirus Team can contain the host in the environment to limit the extent of an attack based on the SOC team’s investigation.


  • If required, put the sender domains or IP addresses to a blacklist.
  • Update the servers with the most recent patch..
  • The network team advises updating the malicious IP block list that started the phishing attack.
  • You must block the hash value at the EDR level if the phishing assault is linked to any malware downloads.
  • If the system is being used on a Wi-Fi network, find out its IP address and mac address from the firewall team’s inputs, then block it in the wireless controller ClearPass authentication server.
  • Determine which switch port has to be blocked if the user is on a wired connection.
  • If the user is connected to a wired connection, then identify the switch port and block the port.
  • In the event that the user is wired in, locate the switch port. If the device cannot be accessed remotely, contact OSS so they may disconnect the cable that connects the switch port to the system


  • Turn on the impacted mails once the security team has confirmed.
  • Update the desktop and laptop computers with the most recent patch.
  • Reconnect the servers to the network after doing an antivirus scan on them.
  • Turn on the user ID and reset the password for the user.
  • To maintain an updated blocklist on the firewalls.


  • Verify that every application and service on the servers is operating as it should.
  • should continue keeping an eye on these IPs and block them right away.
  • Uncontainment of the host by the antivirus team after the incident allows for successful network connectivity.
  • Review the patterns in the detection of phishing emails and work with the Microsoft team to increase the detection rate.

Expected Classification:

Depending on the account privilege, a phishing, spear phishing, or whale phishing incident would be classified differently. As a starting point, you might refer to the following table.


As incident response teams continue to fight back against sophisticated phishing attacks in the wild, organizations must have incident response playbooks that can make them secure and act on incidents in a quick and effective way. Microsoft solutions like Office 365 provide robust security posture by employing AI and ML algorithms to study and quarantine emails that it considers phishing. Organizations can render their services to third parties who diligently maintain these playbooks and ensure their team is up to date in containing, preventing, and detecting cyber attacks in the wild, making their clients live in a cyber-free environment. This article in general can be adopted by any organization that wishes to further strengthen their incident response to phishing attacks.

Leave a Comment

Your email address will not be published. Required fields are marked *

About Author

Ganesh Kannan
Founder & Lead Trainer

I am enthusiastic and a passionate IT leader with over two decades of rich industry experience as a senior consultant, trainer and entrepreneur. I’ve worked for large enterprises and Fortune 500 firms and successfully delivered turn-key projects. I’m well experienced in IT Program Management (PMO), Project Management, Organization Change Management (OCM) and Quality Assurance/Testing. I love mentoring aspiring and experienced IT professionals & teams from diverse backgrounds. I enjoy building and running IT teams that provides services in the area of Digital Solutions, Quality Assurance, Test Automation and Robotic Process Automation (RPA).