🎣 Phishing

Identify Patient Zero (First Compromised System)

Patient Zero

Analyze Suspicious Email for BEC Indicators

BEC Email Analysis

Phishing Email Triage and Indicator Extraction

Phishing Triage

Validate the Initial Access Vector

Access Validation

Containment

(3 procedures)

Credential and Account Lockdown

Account Lockdown

Revoke Cloud Sessions and Tokens

Revoke Cloud Sessions

Phishing Containment: Block, Quarantine, Purge

Phishing Quarantine

Preservation

(4 procedures)

Volatile Memory Capture

Memory Capture

Log Preservation and Snapshot

Log Snapshot

Preserve Phishing Email Evidence

Phishing Email Preservation

Document Chain of Custody for All Collected Evidence

Chain of Custody

Collection

(6 procedures)

Phishing Artifact Collection: Headers, URLs, Attachments

Phishing Artifact Collection

EDR Telemetry Collection

EDR Collection

M365 Unified Audit Log Collection

M365 UAL Collection

Azure AD Sign-In and Audit Log Collection

Azure AD Logs

Identify Alternative Evidence When Primary Logs Are Missing

Missing Log Fallback

Coordinate Log Collection from Third-Party Vendors

Third-Party Logs

Analysis

(4 procedures)

Lateral Movement Analysis and Mapping

Lateral Movement

Phishing Campaign Scope and Credential Exposure

Phishing Campaign Analysis

Detect OAuth and Consent Phishing Abuse

OAuth Abuse

Investigate Mailbox Rule Modifications

Inbox Rules

Eradication

(3 procedures)

Eradication Verification Checklist

Eradication Verification

Phishing Remediation: Purge, Reset, Revoke

Phishing Remediation

Post-Incident Configuration Hardening

Config Hardening

180min

Recovery

(1 procedure)

Phased Service Restoration with Enhanced Monitoring

Service Restoration

Post-Incident Review

(3 procedures)

Create New Detection Rules Based on Incident Findings

Detection Improvement

Generate Comprehensive Incident Report

Incident Report

180min

Conduct Lessons Learned Review Session

Lessons Learned