An employee clicks a link in what appeared to be a routine email from a supplier. Within minutes, their credentials are harvested. Within hours, the attacker is inside your systems. What happens next depends entirely on whether your organisation has a well-rehearsed phishing incident response plan — or whether panic sets in and critical containment steps are missed.

TL;DR — Key Takeaways

  • Follow this step-by-step phishing incident response playbook to contain, investigate, remediate, and recover from phishing attacks effectively
  • Explore phase 1: Detection and Initial Triage
  • Explore phase 2: Containment

Visual Overview

flowchart TD
    A["Phishing Reported"] --> B["Isolate Affected System"]
    B --> C["Reset Credentials"]
    C --> D["Scan for Malware"]
    D --> E["Assess Data Exposure"]
    E --> F["Notify Stakeholders"]
    F --> G["Document & Learn"]

This playbook provides a structured, step-by-step guide for responding to phishing incidents. It is designed for small and medium-sized businesses that may not have a dedicated security operations centre but still need to act decisively when an attack occurs. Whether the phishing attempt was caught early or has already resulted in a compromise, this framework will help you contain the damage, investigate the scope, remediate the threat, and recover operations.

Phase 1: Detection and Initial Triage

The response begins the moment a phishing attempt is identified. Detection can come from multiple sources: an employee reporting a suspicious email, an automated alert from your email security gateway, or unusual activity flagged by your endpoint protection software.

Immediate Triage Questions

Within the first fifteen minutes, your incident lead should answer these critical questions:

  1. Did anyone interact with the phishing email? Determine whether users merely received the email, opened it, clicked a link, downloaded an attachment, or entered credentials on a spoofed page.
  2. How many people received it? Check your email logs to identify every recipient. A single phishing email sent to one person requires a different response than a campaign targeting your entire organisation.
  3. What type of phishing is this? Is it a broad credential-harvesting campaign, a targeted spear-phishing attack, a business email compromise, or a malware delivery attempt?
  4. Is there evidence of compromise? Look for signs such as unusual login activity, forwarding rules added to mailboxes, or unexpected outbound network connections.
Speed matters in the first hour. The difference between a contained incident and a full breach often comes down to how quickly you answer these initial triage questions.

Phase 2: Containment

Containment is about stopping the bleeding. Your goal is to prevent the attacker from expanding their access while preserving evidence for investigation.

Short-Term Containment Steps

  • Isolate affected accounts — immediately reset passwords for any user who clicked a link or entered credentials. Revoke active sessions and invalidate authentication tokens. If your organisation uses multi-factor authentication, verify that MFA tokens have not been compromised through MFA fatigue techniques.
  • Quarantine the phishing email — use your email administration tools to remove the malicious email from all recipient mailboxes, not just those who reported it. Microsoft 365 and Google Workspace both offer administrative search-and-purge capabilities.
  • Block malicious indicators — add the sender address, domain, and any URLs or IP addresses from the phishing email to your blocklists. Update your email gateway, web proxy, and firewall rules.
  • Isolate compromised endpoints — if malware was delivered, disconnect affected devices from the network immediately. Do not power them off, as this may destroy volatile memory evidence.
  • Disable suspicious forwarding rules — attackers frequently create email forwarding rules to maintain access even after passwords are changed. Check every affected mailbox for newly created rules.

Communication During Containment

Notify your incident response team and key stakeholders immediately. Use a pre-prepared communication template:

Internal alert template: "A phishing incident has been identified affecting [number] accounts. The incident response team is actively containing the threat. Do not interact with emails from [sender/subject line]. If you clicked any links or opened attachments in the suspicious email, contact IT immediately at [phone/channel]. A full update will follow within [timeframe]."

Keep communications factual and calm. Avoid speculation about the severity or origin of the attack until the investigation is complete.

Phase 3: Investigation

With containment measures in place, shift focus to understanding the full scope of the incident. Thorough investigation is essential both for complete remediation and for the documentation your cyber insurer will require.

Evidence Collection

Gather and preserve the following evidence as soon as possible:

  • The original phishing email — including full headers, which reveal the true sending infrastructure
  • Email gateway logs — showing delivery times, recipients, and any automated actions taken
  • Authentication logs — from your identity provider, VPN, and cloud services, covering the period from the phishing email delivery to the present
  • Endpoint telemetry — process execution logs, file system changes, and network connections from affected devices
  • Network logs — DNS queries, web proxy logs, and firewall records that may reveal command-and-control communications or data exfiltration

Scope Assessment

Determine the blast radius of the attack by investigating:

  • Which credentials were compromised and what systems those credentials provide access to
  • Whether the attacker moved laterally — check for logins from unusual locations, access to systems the compromised user does not normally use, or lateral phishing emails sent from compromised accounts
  • Whether any data was accessed or exfiltrated — review file access logs, cloud storage activity, and outbound data transfers
  • Whether persistence mechanisms were established — look for new user accounts, scheduled tasks, registry modifications, or OAuth application grants

Escalation Criteria

Not every phishing incident requires external help, but certain findings should trigger immediate escalation:

  • Escalate to your cyber insurer if any data breach is confirmed or suspected, if financial fraud has occurred, or if regulatory notification may be required
  • Engage a forensics firm if you discover evidence of persistent access, sophisticated malware, or if the scope exceeds your team's investigative capacity
  • Notify law enforcement if significant financial loss has occurred or if the attack appears to be part of a larger campaign targeting your industry
  • Activate your breach notification process if personal data has been compromised

Phase 4: Remediation

Remediation goes beyond containment. Where containment stops the immediate threat, remediation eliminates the attacker's presence and closes the vulnerabilities they exploited.

Account Remediation

  1. Force password resets for all confirmed and suspected compromised accounts
  2. Revoke all active sessions and refresh tokens across every service the affected accounts can access
  3. Review and remove any unauthorised OAuth application consents or API keys
  4. Audit and remove any email forwarding rules, delegates, or inbox rules created by the attacker
  5. If MFA was not in place, implement it immediately using phishing-resistant methods such as FIDO2 security keys

Endpoint Remediation

  • If malware was executed, reimage affected devices rather than attempting to clean them. This is the only way to ensure no persistent backdoors remain.
  • Apply any missing patches, particularly those related to the vulnerability the phishing attack attempted to exploit
  • Update endpoint protection signatures and run full scans across all devices

Infrastructure Remediation

  • Update email authentication records (SPF, DKIM, DMARC) if the phishing email exploited weaknesses in your email security posture
  • Review and tighten email gateway rules based on the tactics observed
  • Update web filtering rules to block the categories of malicious domains used in the attack

Phase 5: Recovery and Return to Normal Operations

Once remediation is complete, carefully restore normal operations. Do not rush this phase — premature restoration can re-expose your organisation if any attacker foothold was missed.

  • Restore affected accounts with new credentials and verified clean configurations
  • Reconnect remediated endpoints to the network with enhanced monitoring enabled
  • Communicate the all-clear to staff, including a summary of what happened, what was done, and what they should watch for going forward
  • Monitor closely for 30 days post-incident — attackers frequently attempt to regain access using alternative entry points discovered during their initial compromise

Phase 6: Post-Incident Review

The post-incident review is arguably the most valuable phase, yet it is the one most frequently skipped. Conduct this review within one week of the incident while details are fresh.

Key Review Questions

  1. How did the phishing email bypass our security controls?
  2. How long did it take from delivery to detection? Can we shorten that window?
  3. Did our incident response plan work as expected? Where did it break down?
  4. Were the right people notified at the right time?
  5. What additional tools, training, or processes would have prevented or reduced the impact of this incident?

Documenting for Insurers and Regulators

Maintain a comprehensive incident report that includes a timeline of events, actions taken at each phase, evidence of containment and remediation, and the outcome. This documentation is critical for cyber insurance claims and demonstrates due diligence to regulators. Your report should clearly show that your organisation had reasonable controls in place and responded promptly and appropriately.

An insurer does not expect you to prevent every attack. They expect you to detect it quickly, respond competently, and document everything. This playbook gives you the framework to do exactly that.

Building a Phishing-Resilient Organisation

The best incident response is the one you never need to use. Invest in prevention through regular phishing simulations, clear reporting procedures, and a culture where employees feel empowered to question suspicious communications. Track your phishing awareness metrics over time and use them to target training where it is needed most.

Keep this playbook accessible to your entire incident response team — not buried in a shared drive that no one can find during a crisis. Print copies, bookmark it, and rehearse it quarterly. When the next phishing attack arrives, and it will, your team will respond with confidence rather than confusion.