Phishing Incident Response Framework: A Step-by-Step Playbook

TL;DR: Phishing remains the most common entry vector for confirmed breaches, fronting roughly a third of incidents in the latest [Verizon DBIR](https://www.verizon.com/business/resources/reports/dbir/) and a similar share of FBI [IC3](https://www.ic3.gov/) complaints. The organisations that absorb the blow without a major outage are the ones running a tested phishing-incident response framework: triage in minutes, contain in tens of minutes, eradicate within hours, and report cleanly to regulators, customers, and insurers. This playbook lays out the seven phases of a defensible response, mapped to NIST, the [SANS](https://www.sans.org/) PICERL model, and [MITRE ATT&CK](https://attack.mitre.org/), and tied to the controls that make repeat compromise unlikely — including [phishing-resistant MFA](/tools/best-mfa-solutions-for-business) and [Zero Trust access](/compliance/zero-trust-architecture-for-mid-market).

Why Phishing Still Wins in 2026

Phishing has industrialised. AI-generated lures, real-time MFA-relay phishing kits like EvilProxy and Tycoon, callback phishing using legitimate cloud telephony, and SMS / Teams / Slack vectors have collectively expanded the attack surface beyond email. The 2024 MGM Resorts ransomware case — initiated by a vishing call to the help desk — and the 2022 Okta breach — staged via session-token theft from a contractor — both demonstrate that phishing now targets processes, not just inboxes.

Boards expect a measured response. Regulators expect prompt reporting. Insurers expect documented containment within their notice windows. The framework below is built to satisfy all three simultaneously while being executable by a small team at 3 a.m.

The Seven Phases of a Modern Phishing Response

Mapped onto the SANS PICERL model (Preparation, Identification, Containment, Eradication, Recovery, Lessons learned), with an explicit Notification phase added for the realities of GDPR, NIS2, and SEC disclosure.

Phase 1: Preparation — the Work That Matters Most

The actions that determine the outcome of a phishing incident are taken months before it occurs.

• Phishing-resistant MFA (FIDO2 / WebAuthn) deployed across all human accounts. Microsoft and Google data show >99% reduction in account-takeover risk for FIDO2-protected identities.
• Conditional Access policies that require compliant devices, block legacy authentication, and enforce session-token binding where the IdP supports it.
• Email security stack with DMARC enforcement at p=reject, MTA-STS, BIMI, advanced sandboxing, and URL rewriting.
• An abuse mailbox with single-click reporting (e.g., Microsoft Report Phishing add-in, Google "Report phishing", or third-party plugins) feeding directly into a SOAR playbook.
• A pre-approved containment runbook with defined authority — who can reset passwords, revoke sessions, isolate endpoints, and pull a tenant from federation, without waiting for executive sign-off.
• Tabletop exercises at least twice yearly, including the help desk and communications teams. The MGM lesson is that the help desk needs the playbook as much as the SOC does.

These foundations are not optional. They are the controls that cyber-insurance underwriters validate before binding coverage.

Phase 2: Identification — Decide Quickly Whether It Is Real

Most phishing alerts are mundane. The few that matter must be identified in single-digit minutes.

• Confirm the artefact (email, SMS, Teams message) and capture full headers, body, attachments, URLs, and any rendered screenshots.
• Assess delivery scope using mail-flow logs and security-tool detonation history. How many recipients? How many clicks? How many credential submissions?
• Pivot on indicators: sender domain, URL infrastructure, file hashes, attacker-controlled OAuth applications. Cross-reference with threat-intel sources such as PhishTank, URLhaus, and your EDR vendor's intelligence.
• Categorise severity using a pre-defined matrix (e.g., a credential phish hitting a privileged user is automatically Sev-1 regardless of click count).

A useful working rule: any successful credential submission by a privileged user, finance team member, or executive is treated as a confirmed compromise until proven otherwise.

Phase 3: Containment — Reduce Blast Radius in Minutes

Once an incident is confirmed, containment goals are simple: stop further harm, preserve evidence, and create breathing room for eradication.

• Disable the compromised account in the identity provider; do not merely reset the password. Revoke all active sessions and refresh tokens.
• Quarantine the malicious email across all mailboxes using Microsoft Defender ZAP, Google "Investigate", or your secure email gateway's purge function.
• Block sender, URL, and file indicators at the email gateway, web proxy, EDR, and DNS firewall.
• Isolate affected endpoints via EDR network containment, preserving memory for forensic acquisition.
• Audit and revoke OAuth grants the user (or attacker) created. Modern phishing kits often install consent-grant apps that survive password resets.
• Inspect mailbox rules for forwarding, deletion, or move-to-folder rules that hide attacker activity.

The goal is to be in a defensible containment posture within 30–60 minutes of confirmation. This is where automation pays off most: the same actions performed manually take hours and risk inconsistency.

Phase 4: Eradication — Remove the Footprint Completely

Eradication is the phase most often skipped under time pressure, and the one that most often allows attackers back in.

• Validate that no persistence mechanisms remain: scheduled tasks, service principals, app passwords, or device registrations the attacker created.
• Re-image any endpoint that interacted with attacker-supplied tooling. EDR remediation is not a substitute when interactive access occurred.
• Rotate any credentials potentially exposed: API keys, OAuth client secrets, service-account passwords, signing keys.
• Hunt for lateral movement using EDR and SIEM queries based on the attacker's known techniques and the MITRE ATT&CK Initial Access (TA0001) and Persistence (TA0003) tactics.
• Confirm forensic image and log capture before any system rebuild.

Phase 5: Recovery — Restore Operations With Confidence

• Re-enable accounts only after enrolment in phishing-resistant MFA and a full session reset.
• Restore endpoints from clean baselines, not from backups taken after the compromise window.
• Monitor recovered accounts and systems with elevated alerting for at least 30 days.
• Communicate restoration milestones to internal stakeholders to avoid shadow IT workarounds that re-introduce risk.

Phase 6: Notification — Meet Every Clock

Modern phishing incidents trigger a stack of notification obligations that run in parallel:

• GDPR Article 33 — notification to the supervisory authority within 72 hours where the breach is "likely to result in a risk" to data subjects.
• GDPR Article 34 — notification to data subjects "without undue delay" where the risk is high.
• NIS2 — early warning within 24 hours, full notification within 72 hours, final report within one month for essential and important entities.
• SEC Form 8-K Item 1.05 — within four business days of materiality determination for US public companies.
• Sector-specific rules — HIPAA, PCI DSS, FCA / PRA, NYDFS, and others impose their own timelines.
• Customer contractual obligations — frequently 24–48 hours.
• Cyber-insurance notice — typically immediately upon awareness of a covered event.

These timelines run from awareness, not from confirmation. Counsel should be engaged by the end of Phase 2 to begin clock management. Failure to notify on time is increasingly the source of separate regulatory penalties on top of the underlying breach.

Phase 7: Lessons Learned — Convert the Incident Into Resilience

A formal post-incident review within two weeks of closure should produce:

• A factual incident timeline mapped to ATT&CK.
• A root-cause analysis distinguishing technical, process, and human contributors.
• A prioritised remediation backlog with named owners and dates.
• New SIEM detections and SOAR automations covering the techniques observed.
• Updated training tied to the specific lure type, ideally delivered through a targeted simulation campaign.
• Evidence pack for the next insurance renewal, including controls added and dwell-time metrics.

Mature programmes track mean time to detect, mean time to contain, and percentage of phishing reports auto-triaged — and trend the numbers quarterly.

Metrics That Prove the Framework Works

A defensible phishing programme is measured, not merely documented. Useful KPIs:

• Click rate and report rate from phishing simulations, segmented by department.
• Time from delivery to first report — the leading indicator of awareness.
• Time from report to containment — the leading indicator of operational readiness.
• Percentage of accounts on phishing-resistant MFA.
• Number of OAuth consent grants outstanding above a defined risk threshold.

Boards should see these metrics quarterly. Insurers will increasingly request them at renewal.

Where the Framework Connects to the Rest of the Programme

Phishing response does not exist alone. It feeds and is fed by:

• The broader incident response plan template and crisis-management runbooks.
• The forensic investigation best practices that make findings defensible.
• The cyber-insurance claims process, which depends on prompt notice and panel-firm engagement.
• The Zero Trust controls that reduce the impact of a successful phish from a breach to a near-miss.

Treat the framework as a living artefact. Version it, exercise it, and update it after every real incident.