beginnerFree

Phishing Response Basics

Essential steps for responding to a reported phishing email, from initial triage to remediation.

30-60 min6 steps8 checklist items

Summary

A beginner-friendly guide to handling phishing reports, including email analysis, user communication, and basic remediation steps.

Step-by-Step Procedure

Initial Triage

Assess the reported phishing email to determine severity and scope.

Actions

Confirm the report came from a legitimate employee

Obtain the original email (as attachment, not forwarded)

Check if the email was delivered to multiple recipients

Determine if anyone clicked links or opened attachments

Tools

Email clientTicketing system

Tips

Ask the reporter not to delete the email
Use your email security tool to search for similar messages

Email Analysis

Analyze the phishing email for indicators of compromise.

Actions

Examine sender address and reply-to field

Analyze email headers for origin information

Extract URLs without clicking them

Identify any attachments and file types

Check for urgency tactics or suspicious requests

Tools

Header analyzerURL expanderVirusTotal

Tips

Use URL2PNG or similar to safely preview suspicious links
Check domains against known phishing databases

Scope Assessment

Determine how many users received or interacted with the email.

Actions

Search email logs for the same subject/sender

Identify all recipients across the organization

Check web proxy logs for clicks to malicious URLs

Review authentication logs for compromised credentials

Tools

SIEMEmail gatewayProxy logs

Containment

Stop the threat from spreading further.

Actions

Block the sender domain at the email gateway

Block malicious URLs at the proxy/firewall

Delete the email from all mailboxes (if possible)

Force password resets for users who clicked/submitted credentials

Tools

Email gateway adminFirewall/Proxy adminIdentity management

User Communication

Inform affected users and provide guidance.

Actions

Notify users who received the email

Provide clear guidance on what to do/not do

Thank the original reporter

Share indicators so users can self-identify similar emails

Tips

Keep communication simple and non-blaming
Use this as a teaching moment, not punishment

Documentation & Lessons Learned

Document the incident and identify improvements.

Actions

Create incident report with timeline

Document all IOCs for future detection

Identify gaps in detection or training

Update phishing awareness training if needed

Completion Checklist

Original email obtained and preserved

All recipients identified

Click/interaction scope determined

Malicious sender/URLs blocked

Affected users notified

Credentials reset (if compromised)

Incident report completed

Detection rules updated

Evidence to Collect

Original phishing email (as .eml file)
Email headers
List of recipients
Web proxy logs showing clicks
Authentication logs
Screenshots of the phishing content

Communication Templates

User notification email
All-hands phishing alert
Thank you message to reporter

Related Playbooks

Credential CompromiseMalware Triage

Join our community to discuss playbooks and share incident response experiences.

Step-by-Step Procedure

Initial Triage

Assess the reported phishing email to determine severity and scope.

Actions

Confirm the report came from a legitimate employee

Obtain the original email (as attachment, not forwarded)

Check if the email was delivered to multiple recipients

Determine if anyone clicked links or opened attachments

Tools

Email clientTicketing system

Tips

Ask the reporter not to delete the email
Use your email security tool to search for similar messages

Email Analysis

Analyze the phishing email for indicators of compromise.

Actions

Examine sender address and reply-to field

Analyze email headers for origin information

Extract URLs without clicking them

Identify any attachments and file types

Check for urgency tactics or suspicious requests

Tools

Header analyzerURL expanderVirusTotal

Tips

Use URL2PNG or similar to safely preview suspicious links
Check domains against known phishing databases

Scope Assessment

Determine how many users received or interacted with the email.

Actions

Search email logs for the same subject/sender

Identify all recipients across the organization

Check web proxy logs for clicks to malicious URLs

Review authentication logs for compromised credentials

Tools

SIEMEmail gatewayProxy logs

Containment

Stop the threat from spreading further.

Actions

Block the sender domain at the email gateway

Block malicious URLs at the proxy/firewall

Delete the email from all mailboxes (if possible)

Force password resets for users who clicked/submitted credentials

Tools

Email gateway adminFirewall/Proxy adminIdentity management

User Communication

Inform affected users and provide guidance.

Actions

Notify users who received the email

Provide clear guidance on what to do/not do

Thank the original reporter

Share indicators so users can self-identify similar emails

Tips

Keep communication simple and non-blaming
Use this as a teaching moment, not punishment

Documentation & Lessons Learned

Document the incident and identify improvements.

Actions

Create incident report with timeline

Document all IOCs for future detection

Identify gaps in detection or training

Update phishing awareness training if needed