A practical guide to phishing incident response

phishing incident response
A practical guide to phishing incident response
Summary

That’s the moment every organisation dreads. The email looked legitimate. The sender appeared familiar. The document request seemed routine. Then someone reports a problem. Perhaps an employee says they entered their credentials into a suspicious website. Perhaps a customer calls to verify an unexpected document-sharing invitation. Perhaps the IT team notices unusual authentication activity in Microsoft 365.

Regardless of how the incident is discovered, one reality remains: the attack is no longer a phishing attempt. It is now a security incident. At this stage, the issue is how quickly the organization can determine what happened and limit the damage.

The first few hours often determine whether the incident remains a manageable event or develops into a much larger compromise.

The first rule: do not panic

One of the most common mistakes during a phishing incident is acting before understanding the situation. Panic leads to poor decisions.

Employees begin deleting emailsUsers attempt to clean up systems themselves. Managers make assumptions before evidence is collected. Critical information is often lost.

A successful response begins with a simple objective: preserve information while containing riskInvestigators need evidence to determine what happened, when it happened, and who may have been affected.

Incident response: the first 15 minutes

The initial response should focus on immediate containment. In the first 15 minutes, try to answer the following questions: who received the email? Who clicked the link? Who entered credentials? What systems were involved? Is the attack still active?

At this stage, organizations should begin preserving:

These artefacts may later prove critical to understanding the attack. If a user entered credentials into a suspicious website, the affected account should be treated as compromised until proven otherwise.

Immediate account protection

For potentially compromised accounts, organizations should immediately:

Many attackers move quickly after obtaining credentials. Delaying containment gives them additional opportunities to establish persistence within the environment

It is important to remember that changing a password alone may not be sufficient. Modern cloud environments frequently issue authentication tokens that remain valid even after credentials are changed.

Revoking active sessions is therefore an essential step.

The first hour: establishing scope

Once immediate containment actions are underway, attention should shift toward understanding the scope of the incident. Investigators should determine:

This phase often reveals that the incident is larger than initially believed. In many business environments, attackers deliberately target trust relationships that extend beyond the organization itself. Customers, suppliers, contractors, and business partners may all become secondary victims.

Investigating Microsoft 365 activity

If Microsoft 365 accounts may have been compromised, several areas deserve immediate attention.

Authentication logs

Review: 

Investigators should look for activity that differs from the user’s normal patterns.

Mailbox rules

Examine mailbox configurations for: 

Attackers frequently create rules that allow them to monitor communications without attracting attention.

Consent grants

Review recently approved applications and delegated permissions. OAuth abuse has become increasingly common because it allows attackers to maintain access without continuously stealing passwords.

Unexpected application permissions should always be investigated.

The first 24 hours: determine exposure

Once immediate threats have been contained, organizations must begin answering more difficult questions. What information was exposed?

Potential areas of concern include:

The objective is determining what was actually accessed. This becomes particularly important when considering legal obligations, regulatory requirements, and customer notifications.

Communicating internally

Communication during an incident requires balance. Employees need accurate information without unnecessary speculation. Organizations should:

What should be avoided is blame. Employees who fear punishment often delay reporting. Delayed reporting frequently allows attackers additional time to operate undetected. The organization benefits far more from rapid reporting than from assigning fault.

Communicating externally

One of the most challenging aspects of phishing incidents involves external stakeholders. Questions may include:

Premature communication can create confusion. Delayed communication can damage trust. The best approach is typically evidence-driven communication based on verified facts. Organizations should avoid assumptions and focus on confirmed findings.

Transparency supported by evidence is generally more effective than speculation.

The first 72 hours: move from containment to investigation

By this stage, immediate threats should be under control. The focus shifts from response to investigation. Key questions include:

These questions often require deeper analysis than most organizations can perform internally. This is where incident response specialists, digital investigators, and OSINT analysts frequently become involved.

The goal is to understand the threat.

The hidden cost of incomplete investigation

Many organizations stop investigating once passwords have been reset and systems appear normal. This approach creates risk. Without understanding the full scope of an incident, organizations may miss:

An incomplete investigation can leave organizations vulnerable to subsequent attacks from the same threat actor.

Effective investigations identify not only what happened, but also how similar incidents can be prevented in the future.

Where external investigation services add value

Containment is only one component of incident response. Organizations also benefit from understanding:

Cybersecurity investigation and OSINT services can help organizations reconstruct events, assess exposure, identify affected parties, and develop a clearer understanding of attacker methodology. 

This broader perspective often reveals risks that technical remediation alone does not address.

Lessons learned before the next incident

Every phishing incident provides an opportunity to strengthen security posture. Organizations should use incidents to evaluate security awareness programs, reporting procedures, authentication controls, logging and monitoring capabilities, incident response plan, and third-party management. 

The objective is becoming more resilient with each event. Organizations that learn from incidents recover faster, respond more effectively, and reduce future risk.

What's next?

Phishing attacks rarely begin with sophisticated hacking techniques. They begin with information. Attackers study organizations, employees, customers, and vendors long before the first email is sent.

In the next article, we will examine the reconnaissance phase of modern phishing campaigns and explore how attackers use publicly available information to identify targets, map relationships, and build highly convincing attacks.

Understanding what attackers know about your organization may be one of the most important steps toward preventing future incidents.

Share this post :