Phase 7: Respond and Contain

The purpose of this phase is to take prompt, coordinated action to:

Stop the spread or impact of the phishing attack
Protect users and systems from further compromise
Preserve evidence for forensic and legal purposes
Ensure the organization recovers from the incident securely

A quick and efficient response is critical and requires:

Speed - phishing attacks escalate quickly–credentials are reused, malware calls C2C servers, and users share compromised messages.
Coordination - work with other departments (IT, HR, communications, and legal teams if needed).
Documentation - track every action taken for auditing and forensic purposes.

Below are the high-level steps to follow when responding to a phishing threat.

Step 1: Perform Impact Assessment (Scope)

Determine the ‘blast radius’ - identify and secure other accounts and devices connected or affected.

Successful containment and response require determining the following variables:

How many users received the message?
Who interacted (clicked, replied, downloaded)?
Were credentials submitted to phishing forms?
Did any systems show malware infections?
Were sensitive data or systems accessed?

TIP: Use SIEM, email logs, DNS queries, EDR, and user reports to answer these questions.

Step 2: Quarantine or Remove the Message

If the phishing email or message is still active in the user's inbox, the available actions are:

Isolates messages based on:
- Subject line
- Sender domain
- Attachment hash
- URL or IP pattern
- Recipients (To, Cc, and Bcc)
Quarantine or purge emails from inboxes.
The method/steps to purge emails will depend on the system, for example:
- Google Workspace: Admin Console → Investigation Tool → Quarantine/Spam/Phishing
- Microsoft 365 / Defender: Threat Explorer → "Take Action" to delete or quarantine
  - Threat Hunting with Defender for Office 356
  - Investigating Email Messages in Microsoft Defender for Office 365

TIP: The earlier you contain the message, the fewer users interact with it.

Step 3: Block IOCs

Block all known malicious indicators across relevant security tools:

URLs/Domains - Web proxy, Secure Web Gateway, DNS filtering (e.g., Cisco Umbrella, Palo Alto, Cloudflare)
IP Addresses - Firewalls, IDS/IPS, EDR/NDR tools
File Hashes - Endpoint protection, EDR solutions (e.g., CrowdStrike, SentinelOne)
Email Addresses/Domains - Email filtering rules, blocklists

TIP: Use threat intelligence feeds to automate this process where possible (SOAR playbooks, XDR integrations).

Step 4: Disable Compromised Accounts or Reset Credentials

If a user clicked a link, entered credentials, or downloaded an attachment, take immediate action:

Force password reset
Expire authentication tokens/sessions
Revoke API keys or OAuth tokens (especially for cloud accounts)
Temporarily disable the account if a compromise is confirmed
Investigate lateral movement or unauthorized access

Step 5: Isolate Affected Devices (if Malware is Delivered)

If the phishing message dropped malware or scripts:

Use EDR tools to:
- Contain the endpoint (CrowdStrike, Carbon Black, SentinelOne)
- Kill malicious processes
- Rollback changes (if supported)
Capture:
- Process trees
- Registry modifications
- C2 communication attempts
- Persistence mechanisms

TIP: Isolate quickly to prevent spread, especially for ransomware or info-stealers.

Step 6: Notify Affected Users

Communicate clearly and quickly with affected users or departments (identified during Step 3). Provide:

A brief incident description, e.g., “We identified a phishing email that may have reached your inbox.”
What actions are required, e.g., “Please reset your password immediately and report any suspicious activity.”
Who to contact, e.g., “Contact the IT Helpdesk or Security Team for support.”

TIP: Use standard templates to speed up communication during incidents, and ensure that staff are trained to anticipate these types of communication (standard formatting and language, remaining calm, following standard instructions, and verifying the authenticity of the communication).

Step 7: Conduct Root Cause & Campaign Attribution (Optional but Valuable)

This can be a lengthy and detailed process and requires correlation of various logs to create a timeline of events to determine how the accounts or systems were compromised.

Did the attack exploit:

A supply chain relationship?
A recent breach or credential leak?
A misconfiguration or vulnerability?
A lack of concentration or knowledge of a specific social engineering attack technique?

Additional questions worth asking:

Is this a standalone attack or part of a larger phishing/attack campaign?
Are other departments/locations affected?
Can we attribute the attack to a specific APT or TTP? This can help anticipate follow-up phishing waves or related threats.

Step 8: Document & Track Response Actions

Record all steps taken in your ticketing or case management system (e.g., Jira, TheHive, RTIR):

Message identifiers (Message-ID, subject, sender)
Actions taken (quarantine, blocking, credential resets)
Users/devices impacted
IOCs blocked
Recommendations made

TIP: Keep detailed logs for audit trails, lessons learned, and compliance requirements.

Common Mistakes to Avoid

Only deleting the email and not blocking the IOC
Not informing affected users or teams
Forgetting to check if credentials were reused across systems
Failing to isolate infected endpoints
Not documenting the incident thoroughly

Scenario Example

Incident:
Email from admin@micros0ft-support[.]com sent to 87 users
Subject: “Security Update - Verify Account”

Actions Taken:

Message quarantined across mailboxes (O365 Threat Explorer)
Domain and IP blocked in Cloudflare Gateway
5 users submitted credentials — accounts locked and passwords reset
EDR isolated 1 compromised machine that downloaded .iso malware
Users are notified with instructions
Incident documented in the ticketing or case management system.

Outcome: Contained within 3 hours. No lateral movement or data loss observed.

Google Sites

Report abuse