Phishing is the most common initial access vector in enterprise breaches. Most organizations have email gateways, user training programs, and detection rules in place. And yet phishing still works — because attackers adapt faster than defenders retrain.
This runbook covers the complete phishing response process from the moment an alert fires through containment, investigation, recovery, and documentation. Every step comes from real phishing incidents handled at major Canadian financial institutions using CrowdStrike Falcon, Microsoft Defender for Office 365, and Microsoft Sentinel.
Do not click any links in the reported email to verify them. Use URLScan.io or ANY.RUN in a sandboxed environment. Do not forward the email internally. Do not contact the sender to verify. If this is a targeted attack, any of these actions tips off the attacker.
Phase 1: Detect and Validate
Phishing alerts come from multiple sources: user reports, email gateway detections, SIEM rules firing on URL clicks, or EDR alerts on post-click activity. The source matters because it changes where you start.
Step 1: Retrieve full email headers
Pull the complete email headers and check SPF, DKIM, and DMARC results. A legitimate sender almost never has a Reply-To pointing to a different domain. Look specifically for:
- Mismatch between the From display name and the actual sending address
- Reply-To pointing to a Gmail, Hotmail, or other free provider
- DMARC fail or soft fail on a domain that should be passing
- Sending IP that does not match the domain's SPF record
Step 2: Analyze URLs and attachments safely
Extract all URLs and file hashes without clicking. Submit to URLScan.io and VirusTotal. For attachments, upload to ANY.RUN for sandbox detonation. You are looking for:
- Credential harvesting pages mimicking your organization's login portal
- Redirectors that serve different content to sandbox IPs vs real users
- Macros or scripts embedded in Office documents
- ISO or ZIP files containing executables (common phishing delivery method)
Step 3: Determine blast radius
Search your email platform for the sender domain, subject line, and embedded URLs across all mailboxes. You need to know how many people received this before you can scope containment. In Microsoft 365, use Threat Explorer in the Defender portal.
Step 4: Check for clicks
Check email gateway click tracking, web proxy logs, and your EDR for process creation events in the window after the email was received. This tells you whether you have a contained detection or an active execution.
Severity scoring
- P1: Credentials entered on a phishing page, or payload executed on endpoint
- P2: Link clicked, no confirmed credential entry or execution
- P3: Email received and reported, no clicks confirmed
Phase 2: Contain
- Block the sender domain and sending IP at your email gateway for all users
- Block the malicious URL or domain at your web proxy and DNS filter
- If anyone clicked: isolate the endpoint through CrowdStrike Network Isolation immediately
- Quarantine the email from all mailboxes using the Defender portal soft delete
- If credentials may have been entered: force password reset and revoke all sessions in Entra ID now — do not wait for confirmation
- Disable any inbox forwarding rules on the affected account
Attackers configure inbox forwarding rules within minutes of a successful credential phish. They forward to an external Gmail or Hotmail address and the victim never notices. Check before you re-enable the account.
Containment steps like these, tuned for new attack patterns, show up every Tuesday in the Intelligence Pack.
Join — $14.99/moPhase 3: Investigate
On any isolated endpoint, pull the process tree for the 30 minutes following the email open. Use this CrowdStrike LogScale query to find post-click process execution:
#event_simpleName=ProcessRollup2
ComputerName=AFFECTED_HOSTNAME
ParentBaseFileName IN ("WINWORD.EXE","EXCEL.EXE","OUTLOOK.EXE",
"chrome.exe","msedge.exe","firefox.exe")
| table @timestamp ComputerName UserName ImageFileName CommandLine ParentBaseFileName
| "sort" @timestamp desc
Beyond the process tree, investigate these areas:
Azure sign-in logs
Check for successful authentications from new countries or IP addresses in the 72 hours after the phishing email was received. Impossible travel — a sign-in from Canada followed 20 minutes later by a sign-in from Eastern Europe — confirms credential theft.
OAuth application grants
Attackers increasingly use phishing to steal OAuth tokens rather than passwords. Check for new application consent grants made under the affected identity in the past 30 days. A third-party app with Mail.Read and Files.ReadWrite permissions granted by a user who does not remember doing it is a confirmed attack.
Scheduled tasks and registry run keys
Check for new scheduled tasks (EventCode 4698) and new registry persistence mechanisms on any endpoint involved. These are planted immediately after initial access to survive reboots.
Communication Scripts
Use these templates verbatim or adapt to your organization's tone. The goal is to communicate clearly without creating panic or tipping off the attacker if this is a targeted campaign.
Hi [Name], we received your report and have secured the email. Do not attempt to access it. If you clicked any links or entered your password, please call the security team directly at [NUMBER] right now. We are handling this and will follow up with you shortly.
A phishing email targeting [user or team] was identified at [TIME]. The email has been quarantined from all mailboxes and the affected account has been secured. Investigation is ongoing. No confirmed data access at this time. Next update in [X] hours.
We are investigating a phishing incident involving [user or account]. Based on that account's access level, there is potential exposure of [data type]. We are assessing scope now and will provide a full impact assessment within [TIMEFRAME]. Your guidance on notification obligations is requested.
Phase 4: Eradicate and Recover
- If any payload executed: reimage the machine from a clean baseline — do not attempt to clean in place
- Re-enable the account only after password reset, MFA re-enrollment, and session revocation are all confirmed
- Submit IOCs to your threat intel platform and email gateway vendor
- Require the affected user to complete phishing awareness training before returning to full access
- Review email gateway rules and tighten any gaps this phish exploited
- Document the full timeline in your incident management system
Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.
Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49Cancel anytime. 30-day money back guarantee.