Phishing

Social engineering attack delivered via email, SMS, or messaging platforms designed to harvest credentials or deliver malicious payloads.

Triage

5 procedures
P1

Bound the Investigation Timeframe

~30 min
P1

Identify Patient Zero (First Compromised System)

~60 min
P1

Analyze Suspicious Email for BEC Indicators

~45 min
P1

Phishing Email Triage and Indicator Extraction

~30 min
P2

Validate the Initial Access Vector

~45 min

Containment

3 procedures
P1

Credential and Account Lockdown

~45 min
P1

Revoke Cloud Sessions and Tokens

~30 min
P1

Phishing Containment: Block, Quarantine, Purge

~45 min
Sponsored

Preservation

4 procedures
P1

Volatile Memory Capture

~60 min
P1

Log Preservation and Snapshot

~45 min
P1

Preserve Phishing Email Evidence

~45 min
P2

Document Chain of Custody for All Collected Evidence

~30 min

Collection

6 procedures
P1

Phishing Artifact Collection: Headers, URLs, Attachments

~60 min
P2

EDR Telemetry Collection

~120 min
P2

M365 Unified Audit Log Collection

~90 min
P2

Azure AD Sign-In and Audit Log Collection

~60 min
P2

Identify Alternative Evidence When Primary Logs Are Missing

~60 min
P3

Coordinate Log Collection from Third-Party Vendors

~120 min

Analysis

4 procedures
P1

Lateral Movement Analysis and Mapping

~120 min
P1

Phishing Campaign Scope and Credential Exposure

~90 min
P2

Detect OAuth and Consent Phishing Abuse

~60 min
P2

Investigate Mailbox Rule Modifications

~45 min

Eradication

3 procedures
P1

Eradication Verification Checklist

~90 min
P1

Phishing Remediation: Purge, Reset, Revoke

~60 min
P2

Post-Incident Configuration Hardening

~180 min

Recovery

1 procedure
P2

Phased Service Restoration with Enhanced Monitoring

~120 min

Post-Incident Review

4 procedures
P2

Create New Detection Rules Based on Incident Findings

~90 min
P2

Generate Comprehensive Incident Report

~180 min
P2

Review Cloud Hardening Gaps After Identity Compromise

~75 min
P3

Conduct Lessons Learned Review Session

~120 min