What You'll Learn
- Execute the immediate response process when a phishing email is reported: triage, scope, and contain
- Block extracted artifacts across email gateway rules, firewall rules, and DNS sinkholing
- Describe the layered email security stack: Secure Email Gateway, sandboxing, URL rewriting, and post-delivery remediation
- Determine whether users clicked phishing links or submitted credentials, and initiate appropriate containment
- Explain the role of user awareness programs and phishing simulations in reducing organizational risk
- Measure phishing defense effectiveness using key metrics: click rate, report rate, and mean time to detect
- Integrate phishing detection with Wazuh SIEM alerts and SOAR playbooks for automated response
The Clock Starts When the Report Arrives
You have spent four lessons learning to identify phishing, trace headers, verify authentication, and extract artifacts. All of that analysis is preparation for this moment: someone in your organization just reported a suspicious email, and your response determines whether one person got phished or the entire company gets compromised.
Phishing response is time-sensitive. From the moment the first user reports a suspicious email, the attacker's clock is ticking — but so is yours. Every minute that passes is another minute for other employees to click the same link, submit their credentials, or open the same attachment. Your job is to move faster than the threat.
The average time from phishing email delivery to first click is under 60 seconds. Studies consistently show that employees who will click a phishing link do so within the first few minutes. By the time the email is reported (often hours later), multiple users may have already interacted with it. Speed in your response directly limits the blast radius.
Phase 1: Triage the Report
When a user reports a suspicious email (via a report button, forwarding to a phishing mailbox, or a helpdesk ticket), the first step is a rapid triage:
| Triage Question | Why It Matters | How to Answer |
|---|---|---|
| Is this actually phishing? | Avoid wasting response resources on legitimate email | Apply Lessons PH-1 through PH-3: check headers, authentication, URL destinations |
| Is it targeted or bulk? | Targeted (spear phishing) suggests reconnaissance and higher risk | Check if personalization goes beyond what mass campaigns use |
| Did the user interact with it? | Determines urgency — "just reported" vs "I clicked the link" | Ask the user directly; check proxy logs for the URL |
| Have other users received it? | Defines the scope of the campaign within your organization | Search email gateway logs for matching subject, sender, or URL |
Build a phishing report template. When users report phishing, provide a simple form: "Did you click any links? Did you enter any information? Did you open any attachments? Did you forward it to anyone?" These four questions determine your entire response path.
Triage Decision Tree
After answering the triage questions, your path branches:
- No interaction, single recipient: Block artifacts, delete the email, close the ticket
- No interaction, multiple recipients: Block artifacts, search-and-purge across all mailboxes, alert affected users
- User clicked link but did not submit credentials: Block artifacts, check endpoint for indicators, monitor the user's account
- User submitted credentials: Block artifacts, force password reset, revoke active sessions, check for unauthorized access, engage incident response
- User opened attachment: Block artifacts, isolate the endpoint, scan for malware, check for lateral movement
Phase 2: Scope the Campaign
Before you can contain, you need to know how big the problem is. Use the IOCs you extracted in Lesson PH-4 to search across your environment:
Email Gateway Search
Search your email gateway (Microsoft 365, Google Workspace, Proofpoint, Mimecast) for all messages matching:
- Sender address or domain
- Subject line (exact or fuzzy match)
- URLs contained in the body
- Attachment hash or filename
# Example: Microsoft 365 compliance search
Search-MailboxAuditLog -Subject "Urgent: Password Reset Required"
Get-MessageTrace -SenderAddress "attacker@evil-domain.xyz" -StartDate (Get-Date).AddDays(-7)
Proxy and DNS Log Search
If the phishing email contains URLs, search your web proxy logs and DNS resolver logs for any employee who visited the destination:
# Wazuh query: check for DNS queries to the phishing domain
rule.groups: "dns" AND data.dns.question.name: "evil-domain.xyz"
# Proxy log query: check for HTTP requests to the phishing URL
url.domain: "evil-domain.xyz" AND url.path: "/harvest"
Endpoint Search
If the email contained an attachment, search your EDR or Velociraptor for the file hash across all endpoints:
# Velociraptor artifact: search for file hash across fleet
SELECT * FROM Artifact.Windows.Search.FileFinder
WHERE HashSha256 = "e3b0c44298fc1c149afbf4c8996fb924..."
Scoping often reveals more victims than expected. The user who reported the phishing may not have been the first to receive it. Campaign scoping regularly uncovers that 10, 50, or even hundreds of employees received the same email — and some have already interacted with it.
Phase 3: Contain and Block
Once you know the scope, block every extracted artifact to stop the bleeding:
Email Gateway Blocks
| Action | What It Blocks | Implementation |
|---|---|---|
| Sender block | Future emails from the attacker's address/domain | Add to email gateway block list or transport rule |
| Subject block | Variations of the same campaign | Transport rule matching subject keywords (use cautiously) |
| Search and purge | Existing copies in all user mailboxes | Compliance search + hard delete across the tenant |
| Attachment block | Files matching the hash or filename pattern | Email gateway content filter rule |
Network Blocks
| Action | What It Blocks | Implementation |
|---|---|---|
| Firewall rule | Outbound connections to attacker infrastructure | Block destination IP(s) on perimeter firewall |
| DNS sinkhole | DNS resolution of the phishing domain | Point the domain to a sinkhole IP in your internal DNS resolver |
| Web proxy block | HTTP/HTTPS requests to the phishing URL | Add URL/domain to proxy block list category |
DNS sinkholing is one of the most effective containment actions. If you sinkhole the phishing domain on your internal DNS resolver, every employee who clicks the link after that point gets redirected to an internal block page instead of the attacker's credential harvester. This works even for users who have already received the email but haven't clicked yet.
SIEM Detection Rules
Create a Wazuh custom rule to detect any future interaction with the attacker's infrastructure:
<group name="phishing_campaign_2026_001">
<rule id="100500" level="12">
<if_group>dns</if_group>
<field name="query">\.evil-domain\.xyz$</field>
<description>DNS query to known phishing domain (Campaign 2026-001)</description>
<group>phishing,ioc,</group>
</rule>
<rule id="100501" level="14">
<if_group>web-log</if_group>
<url>evil-domain.xyz/harvest</url>
<description>HTTP request to phishing credential harvester (Campaign 2026-001)</description>
<group>phishing,ioc,credential_theft,</group>
</rule>
</group>
Phase 4: Check for Credential Compromise
If the phishing email directed users to a credential harvesting page, you must determine whether anyone submitted their credentials — even if they claim they did not.
Indicators of Credential Submission
| Signal | Source | What It Means |
|---|---|---|
| POST request to the phishing URL | Web proxy logs | User submitted form data (likely credentials) |
| Time on phishing page > 30 seconds | Web proxy logs | User interacted beyond just loading the page |
| Successful authentication from unusual location | Authentication logs (AD, Okta, Azure AD) | Attacker using stolen credentials |
| MFA push approval after phishing | MFA provider logs | User approved attacker's MFA challenge (MFA fatigue) |
| Email forwarding rule created | Exchange/M365 audit logs | Attacker maintaining access via auto-forwarding |
| New OAuth app consent | Azure AD / Google Workspace audit | Attacker obtained persistent API access |
Do not take the user's word for it. Users often say "I didn't enter anything" when they actually did. Always verify by checking proxy logs for POST requests and authentication logs for anomalous logins. The evidence does not lie.
Credential Compromise Response
If evidence shows credentials were submitted:
- Force immediate password reset — do not wait for the user to "get around to it"
- Revoke all active sessions — Azure AD:
Revoke-AzureADUserAllRefreshToken; Google: Admin Console → Security → User Sessions - Check for persistence mechanisms — email forwarding rules, OAuth app consents, mailbox delegates
- Review recent account activity — file access, email sends, permission changes
- Enable enhanced monitoring — temporarily increase logging level for the compromised account
- Check for lateral movement — if the compromised account has admin privileges, assume broader compromise
The Email Security Stack
Effective phishing defense is not a single tool — it is a layered stack where each component catches what the previous one missed.
| Layer | Technology | What It Catches | Limitation |
|---|---|---|---|
| 1. MX/Gateway Filtering | Secure Email Gateway (Proofpoint, Mimecast, Microsoft Defender) | Known bad senders, bulk phishing, spam | Cannot catch zero-day phishing domains or targeted attacks |
| 2. Sandbox Detonation | Gateway-integrated or standalone (Hybrid Analysis) | Malicious attachments that execute payloads | Sandbox-aware malware delays execution or checks for VM artifacts |
| 3. URL Rewriting | SafeLinks (M365), URL Defense (Proofpoint) | Links that become malicious after delivery (time-of-click analysis) | Some users bypass by copying the original URL from source |
| 4. Post-Delivery Remediation | ZAP (M365 Zero-hour Auto Purge), PhishER (KnowBe4) | Emails reclassified as malicious after delivery | Requires good threat intel feeds; lag between delivery and purge |
| 5. User Reporting | Report phishing button, phishing mailbox | Attacks that bypass all automated layers | Depends on user training and willingness to report |
| 6. SOC Investigation | Analyst triage (you!) | Confirmed phishing requiring scoping and response | Limited by analyst staffing and skill |
Layer 5 — user reporting — is your most valuable detection layer. No automated system catches 100% of phishing. Trained users who report suspicious emails give you visibility into what bypassed every other layer. Investing in user training has the highest ROI of any phishing defense.
User Awareness and Phishing Simulations
Technical controls catch most phishing. The attacks that get through are the ones that fool humans. User awareness is not a checkbox compliance exercise — it is a measurable security control.
Effective Awareness Programs
| Component | Purpose | Frequency |
|---|---|---|
| New-hire training | Baseline phishing recognition skills | During onboarding |
| Annual refresher | Update on current phishing trends and techniques | Yearly |
| Phishing simulations | Measure real-world click rates and identify high-risk users | Monthly or quarterly |
| Just-in-time training | Immediate education when a user fails a simulation | Triggered by simulation failure |
| Positive reinforcement | Recognize and reward users who report real phishing | Ongoing |
Phishing Simulation Best Practices
- Use realistic templates that mirror actual attacks (not obviously fake)
- Vary difficulty levels — some easy, some hard
- Rotate themes: credential harvesting, attachment delivery, CEO impersonation, IT helpdesk
- Do not punish users who click — educate them immediately
- Track trends over time, not individual failures
Phishing simulations that embarrass users backfire. If employees fear punishment for clicking, they stop reporting real phishing. The goal is education, not gotcha moments. Organizations with blame-free reporting cultures have significantly higher phishing report rates.
Measuring Phishing Defense Effectiveness
What you cannot measure, you cannot improve. Track these metrics to demonstrate the value of your phishing program and identify areas for improvement:
| Metric | What It Measures | Target | Data Source |
|---|---|---|---|
| Phishing click rate | Percentage of users who click simulation links | < 5% (mature program) | Phishing simulation platform |
| Phishing report rate | Percentage of users who report (vs. click or ignore) | > 70% | Phishing mailbox / report button analytics |
| Mean time to detect (MTTD) | Time from delivery to first user report | < 15 minutes | Email gateway delivery timestamp vs. report timestamp |
| Mean time to contain (MTTC) | Time from first report to all artifacts blocked | < 60 minutes | SOC response timestamps |
| Credential compromise rate | Percentage of phishing incidents where credentials were submitted | < 1% | Proxy logs + authentication logs |
| Repeat clicker rate | Users who fail multiple simulations | < 2% | Simulation platform |
Integration with SIEM and SOAR
In a mature SOC, phishing response is not entirely manual. Wazuh (SIEM) and Shuffle (SOAR) automate portions of the workflow:
Wazuh Integration
- Email gateway log forwarding: Forward Microsoft 365 or Google Workspace email events to Wazuh for centralized alerting
- Custom rules for phishing IOCs: Deploy rules (as shown in Phase 3) that alert on DNS queries, web requests, or file hashes matching known phishing campaigns
- Correlation rules: Alert when the same user triggers both "phishing email received" and "credential submission" events within a short time window
SOAR Playbook (Shuffle)
A phishing response playbook in Shuffle can automate:
- Parse the reported email — extract sender, URLs, attachments automatically
- Check IOCs against threat intel — VirusTotal, AbuseIPDB, URLScan.io API calls
- Block IOCs — push firewall rules, email gateway blocks, DNS sinkhole entries
- Search for other recipients — query email gateway for matching messages
- Notify affected users — send automated warning to anyone who received the email
- Create incident ticket — populate with extracted IOCs, analysis results, and containment actions
- Escalate if credentials compromised — trigger the credential compromise sub-playbook
Start with manual, then automate. In Lab PH-5, you will execute this entire workflow manually. Once you understand every step, you will appreciate what the SOAR playbook automates in Module 10 (Security Automation). Analysts who automate without understanding the manual process build brittle playbooks that break on edge cases.
Key Takeaways
- Phishing response is time-critical — the average time to first click is under 60 seconds, so every minute of analyst delay increases the blast radius
- The response process follows five phases: triage, scope, contain, check for compromise, and recover — skipping any phase leaves gaps
- DNS sinkholing is one of the fastest and most effective containment actions, redirecting all future clicks to an internal block page
- Never trust user self-reporting on credential submission — always verify with proxy logs and authentication logs
- The email security stack has six layers: gateway filtering, sandboxing, URL rewriting, post-delivery remediation, user reporting, and SOC investigation
- User awareness programs with blame-free reporting cultures achieve significantly higher phishing report rates than punitive approaches
- Measure your program with click rate (< 5%), report rate (> 70%), MTTD (< 15 min), and MTTC (< 60 min) to demonstrate value and identify gaps
What's Next
You now know how to respond when phishing is confirmed — from blocking artifacts to checking for credential compromise to measuring your program's effectiveness. In Lesson PH-6: Phishing Investigation Report Writing, you will learn how to document everything you have done into a professional investigation report that communicates your findings to management, legal, and other stakeholders. In Lab PH-5, you will execute a full phishing response workflow: scoping the campaign, blocking IOCs, checking for click-throughs, and measuring your response time.
Knowledge Check: Defensive Measures & Response
10 questions · 70% to pass
What is the first action an analyst should take when a user reports a suspicious email?
Why is DNS sinkholing described as one of the most effective containment actions for phishing?
A user says they clicked a phishing link but 'didn't enter anything.' How should the analyst verify this claim?
In Lab PH-5, you scope a phishing campaign and discover 50 employees received the same email. What is the correct search-and-purge approach?
Which layer of the email security stack catches phishing links that become malicious AFTER the email has been delivered?
What is the target phishing click rate for a mature security awareness program?
Why do phishing simulations that punish users for clicking actually reduce organizational security?
In the SOAR phishing playbook, what is the correct order of automated actions after a reported email is parsed?
Evidence shows a user's credentials were compromised via phishing. After forcing a password reset, what must the analyst check for NEXT?
What is the target mean time to contain (MTTC) for a phishing incident in a mature SOC?
0/10 answered