Phishing Campaign Response
A phishing campaign is a coordinated attempt to deceive users into revealing credentials, installing malware, or taking harmful actions through fraudulent communications. This playbook guides the response when phishing targets your organisation, covering detection, containment, user identification, and campaign disruption. Individual account compromises resulting from successful phishing attacks are handled through the Account Compromise playbook once this playbook identifies affected users.
Activation criteria
Invoke this playbook when any of the following conditions occur:
| Trigger | Threshold | Source |
|---|---|---|
| User reports | Single credible report of suspicious message | Help desk, direct report, abuse mailbox |
| Security tool detection | Email security flags message as phishing with high confidence (score above 80) | Email gateway, Microsoft Defender, Google Workspace alerts |
| Multiple recipients | Same suspicious message reaches 3 or more users | Log analysis, user reports |
| Credential submission detected | User enters credentials on suspicious site | Browser isolation logs, endpoint detection, user admission |
| External notification | Partner, vendor, or security researcher reports campaign | Email, phone, security mailing list |
| Brand impersonation discovered | Fraudulent site or email impersonates organisation | External monitoring, user report, third-party notification |
A single credible user report constitutes sufficient grounds for activation. Do not wait for multiple reports or tool confirmation before beginning Phase 1.
Roles
| Role | Responsibility | Typical assignee | Backup |
|---|---|---|---|
| Incident commander | Coordinates response, makes escalation decisions, manages communications | IT Manager or Security Lead | Senior IT staff member |
| Technical lead | Analyses messages, identifies affected users, implements blocks | Systems Administrator or Security Analyst | IT support with email admin access |
| Communications lead | Drafts user notifications, coordinates awareness messaging | IT Manager or Communications staff | HR representative |
| Help desk coordinator | Manages user reports, tracks password resets, provides user support | Help Desk Lead | Available help desk staff |
For organisations with limited IT capacity, a single person may hold multiple roles. The incident commander and technical lead roles combine naturally. Separate the communications lead function to ensure user messaging receives dedicated attention.
Phase 1: Initial triage
Objective: Determine whether the report represents a genuine phishing attempt and assess immediate risk.
Timeframe: Complete within 30 minutes of initial report.
Obtain the suspicious message. Request the user forward the message as an attachment (not inline) to preserve headers. In Microsoft 365, users select the message and choose “Forward as attachment” or use the Report Message add-in. In Google Workspace, users select “Show original” and save the .eml file.
If the user deleted the message, retrieve it from quarantine or mail logs:
# Microsoft 365: Search for message in quarantine Get-QuarantineMessage -SenderAddress "suspicious@example.com" -StartReceivedDate (Get-Date).AddDays(-7)
# Microsoft 365: Search message trace Get-MessageTrace -SenderAddress "suspicious@example.com" -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) # Google Workspace: Use Admin Console > Reports > Email Log Search # Or via API: gam report email sender suspicious@example.com start -7d- Analyse message headers to identify the true sender. Extract the following fields:
Return-Path: <actual-sending-address@attacker-domain.com> Received: from mail-server.attacker-infrastructure.com (192.0.2.50) From: "Trusted Name" <spoofed@legitimate-looking.com> Reply-To: credential-harvest@attacker-domain.com X-Originating-IP: [192.0.2.50] Authentication-Results: spf=fail; dkim=fail; dmarc=failKey indicators of phishing:
- Return-Path differs from displayed From address
- Authentication failures (SPF, DKIM, DMARC)
- Received headers show unfamiliar infrastructure
- Reply-To redirects to different domain than From address
Examine the message content for phishing indicators:
- Urgency language (“immediate action required”, “account suspended”)
- Generic greeting instead of recipient’s name
- Grammar and spelling errors inconsistent with purported sender
- Request for credentials, payment, or sensitive information
- Mismatched or obfuscated URLs (hover to reveal true destination)
- Unexpected attachments, particularly Office documents with macros or executables
Assess the payload. If the message contains links:
# Extract URLs without clicking grep -oP 'https?://[^\s<>"]+' message.eml
# Check URL reputation (use sandbox or isolated browser) # VirusTotal API example: curl --request POST \ --url https://www.virustotal.com/api/v3/urls \ --header 'x-apikey: YOUR_API_KEY' \ --form url="https://suspicious-url.example.com/login"If the message contains attachments, do not open them on production systems. Submit to sandbox analysis or examine metadata only:
# Extract attachment without executing munpack message.eml
# Check file hash against known malware sha256sum suspicious_attachment.docx # Compare hash to VirusTotal or internal threat intelligenceMake the triage decision based on your analysis:
- Confirmed phishing: Message exhibits multiple phishing indicators, authentication failures, or known malicious payload. Proceed to Phase 2.
- Suspicious, requires further analysis: Some indicators present but not conclusive. Proceed to Phase 2 with lower urgency.
- Legitimate message: No phishing indicators, authentication passes, sender verified. Close the report and thank the reporting user.
- Spam but not phishing: Unsolicited but not attempting credential theft or malware delivery. Handle through normal spam procedures.
Decision point: If triage confirms phishing or suspicious activity, proceed immediately to Phase 2. Do not delay containment while completing detailed analysis.
Checkpoint: Before proceeding, you have: (1) the original message preserved, (2) a preliminary classification, (3) identified payload type (link, attachment, or social engineering only).
+------------------+ | Message | | Reported | +--------+---------+ | +--------v---------+ | Obtain original | | message with | | headers | +--------+---------+ | +--------v---------+ | Analyse headers | | and content | +--------+---------+ | +--------------------+--------------------+ | | | v v v +--------+--------+ +--------+--------+ +--------+--------+ | Authentication | | Content | | Payload | | results | | indicators | | analysis | | SPF/DKIM/DMARC | | Urgency, links | | URLs, files | +--------+--------+ +--------+--------+ +--------+--------+ | | | +--------------------+--------------------+ | +--------v---------+ | Classification | | decision | +--------+---------+ | +-------------+---------------+---------------+-------------+ | | | | | v v v v v +-----+-----+ +-----+-----+ +-------+-------+ +-----+-----+ +-----+-----+ | Confirmed | | Suspicious| | Legitimate | | Spam | | Cannot | | phishing | | needs | | message | | not | | determine | | | | analysis | | | | phishing | | | +-----+-----+ +-----+-----+ +-------+-------+ +-----+-----+ +-----+-----+ | | | | | v v v v v Phase 2 Phase 2 Close Spam Escalate (urgent) (standard) report process to securityFigure 1: Phishing triage decision flow
Phase 2: Containment
Objective: Prevent additional users from falling victim and stop ongoing credential harvesting.
Timeframe: Complete within 1 hour of confirmed phishing.
- Block the sender at the email gateway. Create a transport rule or block entry:
# Microsoft 365: Block sender domain New-TransportRule -Name "Block Phishing Campaign $(Get-Date -Format 'yyyyMMdd-HHmm')" ` -SenderDomainIs "attacker-domain.com" ` -DeleteMessage $true ` -Comments "Phishing campaign block - Incident INC-2024-0142"
# Microsoft 365: Block specific sender Set-HostedContentFilterPolicy -Identity Default ` -BlockedSenders @{Add="phishing@attacker-domain.com"} # Google Workspace: Add to blocked senders list # Admin Console > Apps > Google Workspace > Gmail > Spam, Phishing and Malware # Or via GAM: gam create blockedsender email phishing@attacker-domain.com- Quarantine or delete existing copies of the phishing message from all mailboxes:
# Microsoft 365: Search and purge # First, create compliance search New-ComplianceSearch -Name "Phishing Purge $(Get-Date -Format 'yyyyMMdd')" ` -ExchangeLocation All ` -ContentMatchQuery 'from:phishing@attacker-domain.com AND subject:"Urgent: Verify your account"'
# Start the search Start-ComplianceSearch -Identity "Phishing Purge $(Get-Date -Format 'yyyyMMdd')"
# After search completes, purge messages (soft delete allows recovery) New-ComplianceSearchAction -SearchName "Phishing Purge $(Get-Date -Format 'yyyyMMdd')" ` -Purge -PurgeType SoftDelete # Google Workspace: Use Security Investigation Tool # Admin Console > Security > Investigation tool # Search by sender, subject, or message ID # Select affected messages > Delete permanently or Move to spamPurge scope
Verify search results before purging. An overly broad query can delete legitimate messages. Preview results and confirm message count matches expectations.
- Block malicious URLs at the web proxy, firewall, or DNS level:
# Add to proxy blocklist (Squid example) echo "attacker-credential-site.com" >> /etc/squid/blocked_domains.txt squid -k reconfigure
# DNS sinkhole (Pi-hole/dnsmasq example) echo "0.0.0.0 attacker-credential-site.com" >> /etc/pihole/custom.list pihole restartdns
# Cloud DNS filtering (Cloudflare Gateway example via API) curl -X POST "https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/rules" \ -H "Authorization: Bearer {api_token}" \ -H "Content-Type: application/json" \ --data '{ "name": "Block phishing domain", "conditions": [{"type": "domain", "value": "attacker-credential-site.com"}], "action": "block", "enabled": true }'- If the phishing message contained attachments, block the file hash:
# Microsoft Defender for Endpoint: Block file hash Add-MpPreference -ThreatIDDefaultAction_Ids "2147519003" ` -ThreatIDDefaultAction_Actions "6"
# Or via Security Center: Settings > Endpoints > Indicators > Add indicator # Type: File hash, Action: Block and remediate- Review authentication logs for the phishing domain to identify users who may have entered credentials:
# Microsoft 365: Search sign-in logs for suspicious activity Get-AzureADAuditSignInLogs -Filter "createdDateTime ge $(Get-Date (Get-Date).AddHours(-24) -Format 'yyyy-MM-ddTHH:mm:ssZ')" | Where-Object { $_.RiskState -eq "atRisk" -or $_.IpAddress -like "192.0.2.*" } # Google Workspace: Check for suspicious logins gam report login user all start -24h filter "event_name==login_failure,login_success"- Document all containment actions in the incident record, including timestamps, specific rules created, and scope of message purge.
Decision point: If containment reveals widespread credential compromise (more than 10 users clicked or submitted credentials), escalate to the Account Compromise playbook for bulk credential reset and session revocation.
Checkpoint: Before proceeding, you have: (1) sender blocked, (2) existing messages purged, (3) malicious URLs blocked, (4) preliminary list of potentially affected users.
Phase 3: Impact assessment
Objective: Determine who received the message, who interacted with it, and who may have compromised credentials.
Timeframe: Complete within 4 hours of containment.
- Generate the complete recipient list. Query mail logs for all recipients of the phishing message:
# Microsoft 365: Get all recipients Get-MessageTrace -SenderAddress "phishing@attacker-domain.com" ` -StartDate (Get-Date).AddDays(-7) ` -EndDate (Get-Date) | Select-Object RecipientAddress, Received, Status | Export-Csv -Path "phishing_recipients.csv" -NoTypeInformation # Google Workspace: Export recipient list gam report email sender phishing@attacker-domain.com start -7d > phishing_recipients.csv- Identify users who clicked links. Check proxy logs, endpoint detection logs, and URL click tracking:
# Proxy log search (Squid access.log example) grep "attacker-credential-site.com" /var/log/squid/access.log | awk '{print $3, $7}' | sort -u
# Output format: client_ip requested_url # Microsoft 365 Safe Links: Get click data Get-SafeLinksAggregateReport -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) | Where-Object { $_.Url -like "*attacker-credential-site*" }Determine who submitted credentials. This requires correlation of multiple data sources:
- Users who clicked the link AND subsequently had password reset (indicating they realised the error)
- Users who clicked the link AND had failed MFA challenges (attacker attempting to use stolen credentials)
- Users who clicked the link AND reported credential submission
- Users whose accounts show sign-ins from unusual locations following the click
Categorise affected users:
Category Definition Count Action required Received only Message delivered, no evidence of interaction [n] Awareness communication Clicked link Visited phishing URL, no credential submission evidence [n] Direct outreach, monitor account Credentials compromised Evidence of credential submission or confirmed by user [n] Password reset, session revocation, handoff to Account Compromise Unknown interaction Received message, cannot confirm whether clicked [n] Direct outreach to determine status For users in the “Credentials compromised” category, initiate the account compromise response:
- Force immediate password reset
- Revoke all active sessions
- Re-enroll MFA if push-based (attacker may have approved MFA prompt)
- Review account activity for signs of compromise
Hand these users off to the Account Compromise playbook for complete response.
Document the impact assessment findings. Record total recipients, breakdown by category, and any data exposure concerns.
+------------------------------------------------------------------+| USER IMPACT ASSESSMENT |+------------------------------------------------------------------+| || +------------------+ || | Total recipients | || | (from mail logs) | || +--------+---------+ || | || v || +--------+---------+ +------------------+ || | Message opened? +---->| Received only | || | (if tracking | No | - Send awareness | || | available) | | - No action req | || +--------+---------+ +------------------+ || | Yes || v || +--------+---------+ +------------------+ || | Link clicked? +---->| Opened only | || | (proxy/EDR logs) | No | - Send awareness | || +--------+---------+ | - Monitor 7 days | || | Yes +------------------+ || v || +--------+---------+ +------------------+ || | Credentials +---->| Clicked only | || | submitted? | No | - Direct contact | || | (user report, | | - Monitor 14 days| || | login anomaly) | +------------------+ || | Yes || v || +------------------+ || | Compromised | || | - Password reset | || | - Session revoke | || | - MFA re-enroll | || | - Account Compro-| || | mise playbook | || +------------------+ || |+------------------------------------------------------------------+Figure 2: User impact assessment decision tree
Checkpoint: Before proceeding, you have: (1) complete recipient list, (2) users categorised by exposure level, (3) compromised accounts handed off for response.
Phase 4: Campaign analysis
Objective: Understand the campaign’s scope, sophistication, and targeting to inform communications and future defences.
Timeframe: Complete within 24 hours, in parallel with ongoing response.
Determine whether the campaign is targeted or opportunistic:
Targeted indicators:
- Recipients share a role, department, or project
- Message references organisation-specific information
- Sender impersonates known individual (executive, partner, vendor)
- Phishing domain mimics organisation’s domain (typosquatting)
- Campaign coincides with known organisational activity (funding round, audit)
Opportunistic indicators:
- Recipients appear random across organisation
- Generic message content (shipping notification, password expiry)
- Known mass campaign (matches threat intelligence reports)
- Phishing infrastructure reused across many organisations
Analyse the phishing infrastructure:
# WHOIS lookup for phishing domain whois attacker-credential-site.com
# Check domain age (recently registered domains are suspicious) # Creation Date: 2024-01-10 (registered 3 days before campaign)
# DNS records dig attacker-credential-site.com ANY
# Hosting information curl -I https://attacker-credential-site.com # Server header reveals hosting provider
# SSL certificate details echo | openssl s_client -connect attacker-credential-site.com:443 2>/dev/null | openssl x509 -noout -textCheck threat intelligence sources for campaign indicators:
- Search phishing domain in VirusTotal, URLScan.io, PhishTank
- Check sender IP against threat feeds
- Search file hashes (if attachments) in malware databases
- Query industry ISACs if available
- Check public breach notification databases for related campaigns
Document campaign characteristics for the incident report:
Attribute Finding Campaign type Targeted / Opportunistic Targeting criteria [Department, role, or random] Impersonation [Who or what was impersonated] Payload type [Credential harvesting / Malware / BEC] Infrastructure age [Domain registration date] Known campaign [Yes/No, reference if known] Sophistication level [Low / Medium / High] Assess whether additional campaigns may follow. Targeted attacks often involve multiple attempts using varied approaches. Increase monitoring for:
- Similar domains (typosquatting variations)
- Messages from related infrastructure
- Spear-phishing of users who didn’t fall for the first attempt
+---------------------------+ | Campaign Analysis | +-------------+-------------+ | +---------------------+---------------------+ | | v v +--------+---------+ +---------+--------+ | Targeting | | Infrastructure | | Assessment | | Analysis | +--------+---------+ +---------+--------+ | | +--------v---------+ +---------v--------+ | Who received? | | Domain age? | | Pattern in roles?| | Hosting provider?| | Org-specific | | SSL certificate? | | content? | | Related domains? | +--------+---------+ +---------+--------+ | | +---------------------+---------------------+ | +-------------v-------------+ | Classification | +-------------+-------------+ | +------------------------+------------------------+ | | | v v v+--------+--------+ +--------+--------+ +--------+--------+| Targeted | | Semi-targeted | | Opportunistic || High priority | | Medium priority | | Standard || Exec briefing | | Department | | All-staff || Consider IR | | notification | | awareness || escalation | | | | |+-----------------+ +-----------------+ +-----------------+Figure 3: Campaign analysis decision tree
Phase 5: External reporting
Objective: Report the phishing infrastructure to relevant parties for takedown and broader protection.
Timeframe: Complete within 48 hours.
Report the phishing URL to browser safe browsing services:
- Google Safe Browsing: https://safebrowsing.google.com/safebrowsing/report_phish/
- Microsoft SmartScreen: https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site
- PhishTank: https://phishtank.org/add_web_phish.php
Report to the hosting provider. Identify the host from WHOIS or IP lookup and submit abuse report:
# Find abuse contact whois attacker-credential-site.com | grep -i abuse # Or check hosting provider's abuse pageInclude in the report:
- Phishing URL(s)
- Screenshot of phishing page
- Copy of phishing email with headers
- Date and time of campaign
- Your organisation’s contact information
Report to the impersonated organisation (if applicable). If the phishing impersonates a vendor, partner, or well-known brand:
- Contact their security team directly
- Use their published abuse reporting mechanism
- Include evidence of the impersonation
Report to domain registrar for domain takedown. Most registrars have abuse policies against phishing:
# Find registrar from WHOIS whois attacker-credential-site.com | grep -i registrarConsider law enforcement reporting for severe or persistent campaigns:
- UK: Action Fraud (actionfraud.police.uk) for campaigns targeting UK organisations
- US: FBI IC3 (ic3.gov) for campaigns involving US entities
- National CERT for your operating jurisdiction
Law enforcement reporting is most valuable for targeted campaigns causing significant harm. Generic opportunistic phishing rarely warrants law enforcement involvement.
If your organisation participates in information sharing communities (ISACs, threat intelligence sharing groups), submit indicators of compromise:
- Sender addresses and domains
- Phishing URLs
- File hashes
- IP addresses
- Email subject lines
Phase 6: User communication
Objective: Inform affected users appropriately without creating panic or shame.
Timeframe: Initial communication within 4 hours of containment; follow-up within 24 hours.
Send immediate notification to users who clicked the phishing link or submitted credentials. Contact these users directly by phone or instant message before sending email notification.
Send organisation-wide awareness notification after containment is complete. Do not send this while phishing messages remain in mailboxes.
Frame communications constructively:
Do:
- Thank users who reported the phishing attempt
- Provide clear indicators to help identify the message
- Give specific actions for anyone who interacted with the message
- Reinforce that reporting is valued and expected
Do not:
- Name or shame individuals who fell for the phishing
- Use language that blames users (“if you were foolish enough to click”)
- Create panic about potential consequences
- Provide unnecessary technical details that confuse non-technical staff
Track password resets and user acknowledgments to ensure compromised users complete required actions.
Reporting culture
Users who report phishing are your most effective defence. Each communication should reinforce that reporting suspicious messages is expected, valued, and safe. Never create the impression that reporting leads to trouble.
Communications
| Stakeholder | Timing | Channel | Message owner | Template |
|---|---|---|---|---|
| Users who submitted credentials | Immediately upon identification | Phone call followed by email | Help desk coordinator | Direct contact template |
| Users who clicked link | Within 2 hours | Help desk coordinator | Click notification template | |
| All staff | After containment complete | Communications lead | Awareness template | |
| IT leadership | Within 1 hour | Direct message or call | Incident commander | Verbal briefing |
| Executive leadership | Within 4 hours if targeted or significant | Email with verbal briefing | Incident commander | Executive summary template |
| External parties (donors, partners) | Only if their data potentially affected | Communications lead | With legal review |
Communication templates
Direct contact for credential submission:
Subject: Urgent: Your account security
[Name],
Our security team identified that you may have entered your password on afraudulent website earlier today. This was part of a phishing campaigntargeting our organisation.
Your account has been secured, but we need you to complete these steps:
1. Your password has been reset. Use the "Forgot Password" link to create a new password.2. When you receive MFA prompts to re-enroll, please complete the enrollment.3. Reply to confirm you have completed these steps.
You are not in trouble. Phishing attacks are sophisticated and designed tofool people. You did the right thing by working with us to secure your account.
If you notice any unusual activity in your account, contact the help deskimmediately at [contact].
Thank you for your cooperation.
[IT Security Team]All-staff awareness notification:
Subject: Security Notice: Phishing attempt blocked
Team,
Today we detected and blocked a phishing campaign targeting our organisation.Our security systems have removed the malicious messages and blocked thefraudulent website.
HOW TO IDENTIFY THIS PHISHING ATTEMPT:- Subject line: "[Subject from actual phishing]"- Appeared to come from: [Apparent sender]- Requested: [What the phishing asked users to do]
IF YOU RECEIVED THIS MESSAGE:If you did NOT click any links or enter your password: No action needed.The message has been removed.
If you DID click the link or enter your password: Contact the help deskimmediately at [contact]. We will help you secure your account. You arenot in trouble - we need to ensure your account is protected.
THANK YOU to the staff members who reported this suspicious message. Yourvigilance protected our organisation.
REMINDER: Always verify unexpected requests for passwords or sensitiveinformation. When in doubt, report suspicious messages to [reporting address].
[IT Security Team]Executive summary:
Subject: Phishing Campaign Incident Summary - [Date]
SUMMARYA phishing campaign targeted [number] staff members today. The attack hasbeen contained and affected accounts secured.
IMPACT- Messages sent to: [number] recipients- Users who clicked link: [number]- Users with compromised credentials: [number] (accounts secured)- Data exposure: [None confirmed / Under investigation / Details]
RESPONSE ACTIONS COMPLETED- Malicious sender blocked at email gateway- Phishing messages removed from all mailboxes- Malicious URL blocked at web proxy- Affected user passwords reset- All-staff awareness notification sent
CAMPAIGN CHARACTERISTICS- Type: [Targeted / Opportunistic]- Sophistication: [Low / Medium / High]- Impersonation: [Details if applicable]
RECOMMENDATIONS[Any process or technology recommendations arising from the incident]
NEXT STEPS- Complete impact assessment by [date]- Conduct post-incident review on [date]- [Additional follow-up items]
Questions: Contact [Incident commander] at [contact].Evidence preservation
Preserve the following evidence for post-incident review, potential law enforcement referral, and threat intelligence:
| Evidence type | Preservation method | Retention |
|---|---|---|
| Original phishing email with headers | Export as .eml, store in evidence folder | 12 months minimum |
| Screenshot of phishing website | Full page capture with URL visible | 12 months minimum |
| Mail gateway logs | Export relevant entries | Per retention policy |
| Proxy logs showing clicks | Export relevant entries | Per retention policy |
| Authentication logs | Export for affected time period | Per retention policy |
| Incident response actions log | Document all actions with timestamps | Permanent |
| User communications sent | Archive copies | 12 months minimum |
Store evidence in a restricted location accessible only to incident responders. Do not store phishing payloads (malicious attachments) on production systems.
Post-incident activities
Within 5 business days of incident closure:
Conduct post-incident review with response team to identify:
- What worked well in the response
- What could be improved
- Whether detection was timely
- Whether communications were effective
- Whether any users remain at risk
Update defences based on findings:
- Add sender patterns to blocklists
- Tune email security rules if messages bypassed filters
- Update URL categorisation if web filter missed the phishing site
- Consider additional email authentication requirements
Reinforce user awareness without singling out individuals:
- Use the campaign as a case study in security awareness training
- Recognise users who reported promptly
- Address any confusion that arose during communications
Document lessons learned and update this playbook if response procedures proved inadequate.
See also
- Account Compromise for response when credentials are confirmed compromised
- Malware Containment for response when phishing delivers malware payloads
- Evidence Collection for detailed forensic preservation procedures
- Incident Triage Matrix for severity classification criteria
- Incident Response Framework for organisational incident response concepts