Conducting Phishing Incident Response

When to Use

• A user reports receiving a suspicious email via the phishing report button or abuse mailbox
• Email gateway detects a malicious email that bypassed initial filtering
• Threat intelligence indicates an active phishing campaign targeting the organization
• A user confirms they clicked a link or opened an attachment from a suspicious email
• Credentials have been entered on a suspected phishing page

Do not use for business email compromise (BEC) involving compromised internal accounts; use BEC response procedures which focus on account takeover investigation.

Prerequisites

• Email security gateway with message trace and quarantine capabilities (Microsoft Defender for Office 365, Proofpoint, Mimecast)
• Microsoft 365 admin access or Google Workspace admin for mailbox search and purge
• Malware sandbox for attachment and URL analysis (ANY.RUN, Joe Sandbox, Hybrid Analysis)
• Email header analysis tools (MXToolbox Header Analyzer, Google Admin Toolbox)
• Identity provider access for account remediation (Azure AD, Okta, Duo)