PHISHBOOK

Phishing Incident Response Playbook — decision trees, enrichment tools, query templates, and escalation criteria across 9 investigation phases.

Initial assessment of the reported email. Review the subject, sender, urgency cues, and any embedded threats. Classify into category and assign severity.

Decision Flow

1Does the email contain urgent language? → Yes: escalate to phish/BEC

2Is the sender domain suspicious or newly registered? → Yes: phish

3Are there mismatched display name / From address? → Yes: phish

4Does the email request credential entry or payment? → Yes: BEC or phish

5If none of the above, classify as spam or benign

Enrichment Tools

Email gateway reviewHeader analysis toolThreat intelligence lookupURL preview

Escalation Triggers

L1External sender with urgent language, Any spoofed display name, Unusual attachment type

L2SPF/DKIM/DMARC failure, Known malicious sender domain, URL pointing to credential harvester

L3Credential harvesting confirmed, Malware delivered, Multiple users targeted

Query Templates

KQL

// Identify phishing emails by common indicators
EmailEvents
| where Timestamp > ago(24h)
| where SenderMailFromDomain != "yourdomain.com"
| where ThreatTypes has "Phish"
| project Timestamp, RecipientEmailAddress, SenderMailFromAddress,
           Subject, ThreatTypes, DetectionMethods

SPL

// Suspicious email detection in Splunk
index=email sourcetype=mail
| eval subject_lower=lower(Subject)
| where match(subject_lower, "(urgent|password|verify|account|invoice|payment)")
| stats count by from_addr, subject, recipient

Key Artifacts

Original email (EML/MSG)Email headers (full)Verdict classification

PHISHBOOK

Triage & Classification

Decision Flow

Enrichment Tools

Escalation Triggers

Query Templates

Key Artifacts

Header Analysis

URL Investigation

Attachment Analysis

Identity & Session Review

Scope Determination

Containment

Remediation

Post-Incident