Phishing is the most common initial access vector in enterprise breaches. Most organizations have email gateways, user training programs, and detection rules in place. And yet phishing still works — because attackers adapt faster than defenders retrain.

This runbook covers the complete phishing response process from the moment an alert fires through containment, investigation, recovery, and documentation. Every step comes from real phishing incidents handled at major Canadian financial institutions using CrowdStrike Falcon, Microsoft Defender for Office 365, and Microsoft Sentinel.

Before You Start

Do not click any links in the reported email to verify them. Use URLScan.io or ANY.RUN in a sandboxed environment. Do not forward the email internally. Do not contact the sender to verify. If this is a targeted attack, any of these actions tips off the attacker.

Phase 1: Detect and Validate

Phase 1
Detect and Validate
First 15 minutes — Confirm the alert before touching anything

Phishing alerts come from multiple sources: user reports, email gateway detections, SIEM rules firing on URL clicks, or EDR alerts on post-click activity. The source matters because it changes where you start.

Step 1: Retrieve full email headers

Pull the complete email headers and check SPF, DKIM, and DMARC results. A legitimate sender almost never has a Reply-To pointing to a different domain. Look specifically for:

Step 2: Analyze URLs and attachments safely

Extract all URLs and file hashes without clicking. Submit to URLScan.io and VirusTotal. For attachments, upload to ANY.RUN for sandbox detonation. You are looking for:

Step 3: Determine blast radius

Search your email platform for the sender domain, subject line, and embedded URLs across all mailboxes. You need to know how many people received this before you can scope containment. In Microsoft 365, use Threat Explorer in the Defender portal.

Step 4: Check for clicks

Check email gateway click tracking, web proxy logs, and your EDR for process creation events in the window after the email was received. This tells you whether you have a contained detection or an active execution.

Severity scoring

Phase 2: Contain

Phase 2
Contain
Minutes 15 to 45 — Stop the spread before you investigate the depth
  1. Block the sender domain and sending IP at your email gateway for all users
  2. Block the malicious URL or domain at your web proxy and DNS filter
  3. If anyone clicked: isolate the endpoint through CrowdStrike Network Isolation immediately
  4. Quarantine the email from all mailboxes using the Defender portal soft delete
  5. If credentials may have been entered: force password reset and revoke all sessions in Entra ID now — do not wait for confirmation
  6. Disable any inbox forwarding rules on the affected account
Forwarding Rules

Attackers configure inbox forwarding rules within minutes of a successful credential phish. They forward to an external Gmail or Hotmail address and the victim never notices. Check before you re-enable the account.

Containment steps like these, tuned for new attack patterns, show up every Tuesday in the Intelligence Pack.

Join — $14.99/mo

Phase 3: Investigate

Phase 3
Investigate
Build the full picture before you close anything

On any isolated endpoint, pull the process tree for the 30 minutes following the email open. Use this CrowdStrike LogScale query to find post-click process execution:

#event_simpleName=ProcessRollup2
ComputerName=AFFECTED_HOSTNAME
ParentBaseFileName IN ("WINWORD.EXE","EXCEL.EXE","OUTLOOK.EXE",
  "chrome.exe","msedge.exe","firefox.exe")
| table @timestamp ComputerName UserName ImageFileName CommandLine ParentBaseFileName
| "sort" @timestamp desc

Beyond the process tree, investigate these areas:

Azure sign-in logs

Check for successful authentications from new countries or IP addresses in the 72 hours after the phishing email was received. Impossible travel — a sign-in from Canada followed 20 minutes later by a sign-in from Eastern Europe — confirms credential theft.

OAuth application grants

Attackers increasingly use phishing to steal OAuth tokens rather than passwords. Check for new application consent grants made under the affected identity in the past 30 days. A third-party app with Mail.Read and Files.ReadWrite permissions granted by a user who does not remember doing it is a confirmed attack.

Scheduled tasks and registry run keys

Check for new scheduled tasks (EventCode 4698) and new registry persistence mechanisms on any endpoint involved. These are planted immediately after initial access to survive reboots.

Communication Scripts

Use these templates verbatim or adapt to your organization's tone. The goal is to communicate clearly without creating panic or tipping off the attacker if this is a targeted campaign.

TO: Affected User (immediate)

Hi [Name], we received your report and have secured the email. Do not attempt to access it. If you clicked any links or entered your password, please call the security team directly at [NUMBER] right now. We are handling this and will follow up with you shortly.

TO: Management (if credentials confirmed compromised)

A phishing email targeting [user or team] was identified at [TIME]. The email has been quarantined from all mailboxes and the affected account has been secured. Investigation is ongoing. No confirmed data access at this time. Next update in [X] hours.

TO: Legal and Privacy (if PII may be involved)

We are investigating a phishing incident involving [user or account]. Based on that account's access level, there is potential exposure of [data type]. We are assessing scope now and will provide a full impact assessment within [TIMEFRAME]. Your guidance on notification obligations is requested.

Phase 4: Eradicate and Recover

Phase 4
Eradicate and Recover
Return the environment to a known good state
  1. If any payload executed: reimage the machine from a clean baseline — do not attempt to clean in place
  2. Re-enable the account only after password reset, MFA re-enrollment, and session revocation are all confirmed
  3. Submit IOCs to your threat intel platform and email gateway vendor
  4. Require the affected user to complete phishing awareness training before returning to full access
  5. Review email gateway rules and tighten any gaps this phish exploited
  6. Document the full timeline in your incident management system
Intelligence Pack
A new incident case study like this every Tuesday

Production detection rule, real incident case study, hunt hypothesis with query, and a career tip, every Tuesday. Plus monthly Office Hours, private Discord, and a growing detection archive. First 25 subscribers lock in $14.99/month for life.

Join Intelligence Pack — $14.99/month IR Runbook Bundle — $49

Cancel anytime. 30-day money back guarantee.