Planet Red

Phishing PlayBook

To determine if unsuccessful, check if any credentials have been provided (Email Logs, User Interview) or if any URL’s were accessed (Firewall logs, Web Gateway logs, User Interview).

Ensure phishing emails are no longer being sent and customer is aware of the phishing campaign against them so that users can be notified.





Post Incident

Investigate whether email addresses can be blocked (Email Gateway Configuration), or if URL's/Domains can be blocked from users visiting them (Firewall Configuration/Web Gateway Configureation).

If Successful

A Phishing attack is considered successful if a user is tricked into disclosing any information to an attacker, such as credentials, contact information, or other sensitive data. The attack may also be successful if the user visits a malicious website that wasn’t blocked.

Disable compromised user accounts.
If a privileged user account has been compromised, monitor access logs to determine if attacker is pivoting, such as using different accounts, creating their own accounts, or modifying account privleges. Be ok the look out for 'service' accounts that may go unoticed.


Disconnect compromised user accounts if they are logged in.


If any credentials were disclosed, reset passwords. Monitor the user account for suspicious activity, such as failed log in attempts.

Post Incident

Send a Security Advisory to all staff, notifying them of the attack. Request that all staff members notify management if they believe that they may have been targeted, successfully or unsuccessfully.
Review how the attackers emails were able to bypass security measures such as Email Gateway policies, and implement a plan to correct if necessary.

Evidence to Preserve
Email Phishing

All original emails, including any correspondence with email headers (Best Evidence).
Any suspicious Security Events that may have occurred as a result of the information disclosed.

Phone Phising

All phone call recordings (Best Evidence).
All phone call logs, including any correspondence. These should include time stamps.
All MMS/SMS logs.

Targeted Account Logs

All access logs for targeted/compromised users/devices 48 hours for the attack.
All account activity logs for targeted/compromised users/devices within 48 hours for the attack.

Web Activity

All logs that demonstrate users accessing IP addresses or websites relating to the Phishing incident.