Even the most mature phishing simulation programs cannot prevent every successful attack. Employees will occasionally click real phishing links, enter credentials on malicious pages, or open weaponized attachments. The difference between a minor security event and a catastrophic breach often comes down to what happens in the first 60 minutes after the click. This playbook provides step-by-step incident response procedures specifically designed for phishing-initiated compromises.
Phase 1: Detection and Initial Triage (0 to 15 Minutes)
Most phishing compromises are detected through one of three channels: an employee self-reports that they clicked a suspicious link or entered credentials, an automated email security tool flags a malicious message that was delivered before detection rules were updated, or a SOC analyst identifies anomalous behavior such as impossible travel, unusual login patterns, or unexpected mail forwarding rules. Regardless of the detection channel, the initial triage should follow the same procedure. First, confirm the report is about a real phishing message, not a simulation. Then classify the severity: did the employee only click a link (low), enter credentials (medium), or download and execute a file (high)? This classification determines the urgency and scope of the response.
Phase 2: Containment (15 to 60 Minutes)
Containment priorities vary by compromise type but follow a consistent pattern. For credential compromise, immediately force a password reset on the affected account, revoke all active sessions and OAuth tokens, check for newly created mail forwarding rules or inbox rules (a common persistence mechanism), and enable enhanced monitoring on the account. For malware execution, isolate the endpoint from the network using your EDR platform, preserve a forensic image before remediation, check for lateral movement indicators including unusual SMB connections, new scheduled tasks, or registry modifications, and scan other endpoints for the same indicators of compromise. For all compromise types, block the phishing URL and sender domain at the email gateway and web proxy, search email logs to identify other recipients of the same campaign, and quarantine any undelivered copies of the phishing message.
Phase 3: Investigation and Scope Assessment (1 to 24 Hours)
Once immediate containment is in place, the investigation phase determines the full scope of the compromise. Review authentication logs for the affected account to identify any unauthorized access that occurred between the compromise and containment. Check for data exfiltration indicators: large email forwards, unusual file downloads from cloud storage, or API calls to export data. Examine whether the compromised account was used to send internal phishing emails to other employees (a common lateral phishing technique). Document the timeline from initial phishing delivery to detection, containment, and resolution. This timeline becomes critical data for improving future response times and for regulatory reporting if required.
Phase 4: Remediation and Recovery (24 to 72 Hours)
Remediation goes beyond restoring the affected accounts and endpoints. Review and strengthen the controls that failed to prevent the compromise. If the phishing email bypassed email security filters, update detection rules and report the miss to your email security vendor. If the employee did not recognize the phishing indicators, schedule targeted remedial training focused on the specific attack technique used. If credential compromise occurred despite MFA, investigate whether the attacker used an adversary-in-the-middle proxy to capture the MFA token and consider upgrading to phishing-resistant authentication methods such as FIDO2 hardware keys. Document all remediation actions and assign owners for any systemic improvements identified during the investigation.
Phase 5: Post-Incident Analysis and Improvement
Every phishing incident is a learning opportunity. Conduct a blameless post-incident review within 72 hours while details are fresh. Focus on four questions: How did the phishing email reach the employee (detection gap)? Why did the employee interact with the email (training gap)? How quickly was the compromise detected and contained (response gap)? What systemic improvements would prevent or reduce the impact of a similar incident (control gap)? Document findings and track remediation items to completion. Feed the specific attack technique back into your phishing simulation program so that future simulations test employees against the exact pattern that succeeded in the real attack. Over time, this feedback loop between real incidents and simulation campaigns creates a continuously improving defense that adapts to your organization's actual threat landscape. For related guidance on building the metrics that track these improvements, see our guide on measuring phishing simulation ROI.