top of page
Search

Phishing Incident Response Playbook: A Complete Guide

  • GK
  • 13 hours ago
  • 4 min read

Phishing continues to be the leading initial access vector in cyber attacks, targeting organisations of all sizes. Despite improved email security controls, attackers consistently succeed by exploiting user trust, identity systems, and gaps in detection.


For a Security Analyst, having a clear, structured, and technically actionable phishing incident response playbook is essential. This guide delivers a comprehensive framework covering detection, investigation, containment, eradication, and recovery—aligned with real-world tools such as Microsoft Sentinel and Microsoft Defender for Office 365.


What is a Phishing Incident Response Playbook?


A phishing incident response playbook is a standardised set of procedures used by security analysts to:


  • Detect phishing attacks quickly

  • Investigate user interaction and impact

  • Contain threats before they spread

  • Remove attacker access and persistence

  • Restore normal operations securely


It ensures consistent, repeatable, and efficient incident handling, reducing response time and limiting business impact.


Why Phishing Attacks Are Still Effective

Phishing remains successful due to a combination of human and technical factors.


Social Engineering Tactics

  • Urgency (“Immediate action required”)

  • Authority impersonation (executives, suppliers)

  • Financial or invoice-based lures


Evasion Techniques

  • Typosquatted domains

  • HTML smuggling

  • Encrypted or obfuscated attachments


Identity-Focused Attacks

  • Modern phishing campaigns target identity platforms like Microsoft Entra ID to:

  • Steal credentials

  • Bypass MFA

  • Hijack active session


Phishing Incident Response Lifecycle

A structured phishing response consists of six phases:


1. Detection & Triage

2. Investigation & Scoping

3. Containment

4. Eradication

5. Recovery

6. Post-Incident Review


Phase 1: Detection & Triage

Identify phishing emails quickly and determine whether user interaction occurred.


Detection Sources

  • Email security alerts from Microsoft Defender for Office 365

  • SIEM detections via Microsoft Sentinel

  • User-reported phishing emails

  • Threat intelligence feeds


Key Indicators of Phishing

  • Suspicious or lookalike sender domains

  • Unexpected attachments (.html, .zip, .iso)

  • Credential harvesting links

  • Urgent or financial language


During triage, determine:

  • Was the email successfully delivered?

  • Who received it?

  • Was the link clicked?

  • Was the attachment opened?

  • Were credentials entered?


KQL Detection Example

EmailEvents
| where Subject has_any ("urgent", "invoice", "payment", "action required")
| where SenderFromDomain !endswith "trustedcompany.com"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject

MITRE ATT&CK Mapping https://attack.mitre.org/

  • T1566 – Phishing

  • 1566.002 – Spearphishing Link


Phase 2: Investigation & Scoping

Determine the scope of the attack and identify affected users, systems, and potential compromise.


Identify All Recipients

EmailEvents
| where NetworkMessageId == "<message_id>"
| project RecipientEmailAddress

This establishes whether the phishing attempt is targeted or widespread.


Analyse User Interaction via Link Click Activity

UrlClickEvents
| where NetworkMessageId == "<message_id>"
| project Timestamp, AccountUpn, Url

Attachment Execution

DeviceFileEvents
| where FileName endswith ".html" or FileName endswith ".zip"

Detect Credential Compromise

SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| where Location !in ("UK")

Indicators to Investigate

  • Impossible travel

  • Unusual login locations

  • New or unknown devices


Identify Persistence Mechanisms via Mailbox Rule Analysis

OfficeActivity
| where Operation == "New-InboxRule"
| where Parameters has "forward"

Attackers may create rules to:

  • Hide malicious emails

  • Forward communications externally


MITRE ATT&CK Mapping

  • T1078 – Valid Accounts

  • T1114 – Email Collection

  • T1098 – Account Manipulation


Phase 3: Containment

Prevent further spread and stop attacker activity immediately.


Containment Actions

  • Remove Malicious Emails

  • Perform tenant-wide purge using Defender

  • Ensure removal across all mailboxes


Block Indicators

  • Block sender domains

  • Block malicious URLs


Secure Compromised Accounts using Microsoft Entra ID:

  • Force password resets

  • Revoke active sessions

Revoke-AzureADUserAllRefreshToken -ObjectId <user>

Endpoint Isolation (If Required)

  • Isolate affected devices using EDR

  • Begin further investigation if malware is suspected


MITRE ATT&CK Mapping

  • T1566 – Initial Access

  • T1078 – Persistence


Phase 4: Eradication

Objective - Remove attacker access and eliminate persistence mechanisms.


Eradication Steps

  • Remove Malicious Inbox Rules

  • Delete suspicious forwarding or hidden rules


Reset Credentials

  • Enforce strong password policies

  • Require MFA re-registration


Investigate OAuth Abuse

AuditLogs
| where OperationName == "Consent to application"

Attackers may abuse OAuth applications to maintain access.


Endpoint Threat Hunting

  • Perform full antivirus or EDR scans

  • Investigate potential payloads


MITRE ATT&CK Mapping

  • T1098 – Account Manipulation

  • T1059 – Command Execution


Phase 5: Recovery

Restore normal operations and confirm the environment is secure.


Recovery Actions

  • Re-enable user accounts once secured

  • Monitor authentication activity

  • Validate system integrity


User Awareness

  • Notify affected users

  • Reinforce phishing awareness

  • Encourage reporting of suspicious emails


Validation Checklist

  • No suspicious login activity

  • No malicious inbox rules

  • No further phishing emails detected


Phase 6: Post-Incident Review

Improve detection and strengthen security controls.


Lessons Learned

  • How did the phishing email bypass controls?

  • Were detection mechanisms effective?

  • Was user awareness sufficient?


Detection Improvements

  • Enhance rules in Microsoft Sentinel

  • Improve alert correlation

  • Implement domain similarity detection


Security Enhancements

  • Enforce MFA organisation-wide

  • Apply Conditional Access policies

  • Enable Safe Links and Safe Attachments


Automation Opportunities

Security analysts can reduce workload and response time by automating:

  • Email purging

  • Account lockouts on suspicious activity

  • Alert enrichment with threat intelligence


Key Metrics to Track

  • Time to Detect (TTD)

  • Time to Respond (TTR)

  • Number of affected users

  • Phishing success rate


These metrics help measure and improve incident response performance.


Incident Closure Criteria

Close the incident only when:

  • All malicious emails are removed

  • All compromised accounts are secured

  • No further attacker activity is detected

  • Findings and lessons learned are documented


Best Practices for Security Analysts

  • Maintain an up-to-date phishing playbook

  • Integrate detection with SIEM and endpoint tools

  • Continuously improve detection rules

  • Promote strong user awareness


Phishing attacks are inevitable, but their impact can be significantly reduced with a structured and well-executed response.

When integrated into platforms like Microsoft Sentinel and continuously refined, it becomes a powerful tool for defending against one of the most persistent threats in cybersecurity.



Next in the Series

  • Malware Incident Response Playbook

  • Ransomware Response Playbook

  • Account Compromise Playbook (focused on Microsoft Entra ID)



bottom of page