Phishing Response Playbook: A Blue Team Guide

12 FEB 2024 | INCIDENT RESPONSE

Phishing incidents are the bread and butter of blue team work. Whether it's a user reporting a suspicious email or an alert firing on a credential harvesting page, how you respond in the first few minutes matters. This playbook covers the practical steps I take when handling phishing incidents.

Phase 1: Initial Triage

When a phishing report comes in, I need to answer three questions quickly:

  • What kind of phishing is this? - Credential harvest, malware delivery, business email compromise (BEC), or something else?
  • Who received it? - One user or many? Executive or regular employee?
  • Did anyone interact with it? - Clicked links? Entered credentials? Downloaded attachments?

Quick Assessment Commands

For M365 environments, these PowerShell commands help with initial assessment: 

# Get email trace for specific sender
Get-MessageTrace -SenderAddress "attacker@evil.com" -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date)

# Search for emails with specific subject
Get-MessageTrace -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) | Where-Object {$_.Subject -like "*Urgent*"}

Phase 2: Investigation

Once I understand the scope, I dig into the details:

Check the Email Headers

Export the email headers and analyze them. Look for:

  • Authentication results (SPF, DKIM, DMARC)
  • True sender vs. display name
  • Reply-to address differences
  • X-originating-IP for geographic anomalies

Analyze Links and Attachments

Don't click links directly. Use a sandbox or URL analysis tool. For attachments:

  • Check file hash against VirusTotal
  • Analyze in a sandbox (Any.Run, Hybrid Analysis)
  • Look for macros, embedded scripts, or suspicious embedded objects

Check for Compromise

If a user clicked or entered credentials: 

# Check for suspicious sign-ins (Azure AD PowerShell)
Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq 'user@domain.com'" -Top 50

# Look for IMAP/POP access (common for email harvesting)
Get-AzureADAuditSignInLogs -Filter "UserPrincipalName eq 'user@domain.com' and ClientAppUsed eq 'IMAP'"

Phase 3: Containment

Containment actions depend on what you found:

If No One Clicked

  • Delete the email from all mailboxes
  • Block the sender
  • Add URL/domain to block lists
# Delete phishing emails from all mailboxes (Exchange PowerShell)
Search-Mailbox -Identity "user@domain.com" -SearchQuery 'Subject:"Phishing Subject"' -DeleteContent

# Block sender in spam filter
Set-HostedContentFilterPolicy -Identity "Default" -BlockedSenders @{Add="attacker@evil.com"}

If Credentials Were Compromised

  • Reset password immediately
  • Revoke all active sessions
  • Check for inbox rules (attackers love to create forwarding rules)
  • Review audit logs for data access
# Revoke all sessions for a user
Revoke-AzureADUserAllRefreshToken -ObjectId (Get-AzureADUser -ObjectId "user@domain.com").ObjectId

# Check for suspicious inbox rules
Get-InboxRule -Mailbox "user@domain.com" | Where-Object {$_.RedirectTo -or $_.ForwardTo}

If Malware Was Downloaded

  • Isolate the endpoint immediately
  • Collect forensic data (memory, disk)
  • Check for lateral movement indicators
  • Review endpoint telemetry for execution

Phase 4: Eradication

After containing the immediate threat:

  • Update email filtering rules to catch similar campaigns
  • Block malicious infrastructure at the firewall
  • Submit indicators to threat intelligence platforms
  • Work with IT to patch any exploited vulnerabilities

Phase 5: Recovery

Getting the user or systems back to normal:

  • For credential compromise: Issue new password, enable MFA if not already, verify no persistent access
  • For malware: Reimage the endpoint or verify clean state through forensic analysis
  • For BEC: Review and correct any unauthorized changes (wire transfers, vendor changes, etc.)

Phase 6: Lessons Learned

Every incident is a learning opportunity:

  • Why did this get through? - Technical gap? User awareness gap? Process failure?
  • How can we detect this faster? - New detection rule? Better user reporting?
  • What worked well? - Document successful response actions
  • What can we improve? - Update playbooks, train users, adjust tools

Quick Reference: Common PowerShell Commands

# Search and destroy phishing email across organization
$emails = Get-MessageTrace -SenderAddress "attacker@evil.com" -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date)
foreach ($email in $emails) {
    Search-Mailbox -Identity $email.RecipientAddress -SearchQuery "InternetMessageId:$email.MessageId" -DeleteContent
}

# Find users who clicked a specific URL in Defender
Get-AuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "UrlClick" | Where-Object {$_.Url -like "*malicious-domain.com*"}

# Check for suspicious OAuth grants
Get-AzureADOAuth2PermissionGrant -All $true | Where-Object {$_.Scope -like "*Mail.Read*" -or $_.Scope -like "*Mail.Send*"}

Final Thoughts

Phishing response is as much about process as it is about tools. Having a playbook ready means you're not figuring things out during an incident. Document what works, update your playbooks, and train your users to report suspicious emails. The faster you can move through these phases, the less damage attackers can do.

And remember: users are your detection sensors, not your security failures. When someone reports a phishing email, thank them. They just gave you early warning of a potential incident.

← Back to Lab Notes