.

Simulated Phishing Response Playbook & Exercise

Quick summary (one-line)

When a suspected phishing email or user report arrives: validate, contain, remove access, investigate, notify, recover, and document — fast and measured.

Triage checklist (first 10–30 minutes)

1. Accept report: Who reported + submitting artifact (email headers, full message, attachments, screenshots).
2. Classify: Phish, credential harvest, malicious attachment, or suspicious link.
3. Immediate containment: If credentials likely exposed, force password reset for affected account(s) and block sender domain/IP.
4. Communication: Inform SOC lead + affected user’s manager. Use short, pre-approved notification (template below).
5. Evidence capture: Preserve original email (headers and full raw source), attachments, downloadable payloads, and relevant logs (mail gateway, EDR, web proxy, auth logs).
6. Begin investigation: Look for follow-on activity (logins, suspicious DNS, outbound connections).

 Detailed response steps

A. Identification & validation

• Extract email headers; determine SMTP source, SPF/DKIM/DMARC pass/fail.
• Check URL(s) by opening in a controlled environment (VM or URL rewriter/sandbox).
• Scan attachments with AV and sandbox detonation.
• Search telemetry for other recipients of same message (mail gateway logs).

B. Containment

• Quarantine the email on the mail gateway.
• Block sender address, domain, and any malicious URLs at the web proxy.
• If user clicked and entered credentials, do immediate forced password reset + MFA push for that account and any accounts using same password.
• If malware downloaded, isolate host from network and initiate EDR investigation.

C. Eradication & recovery

• Remove malicious emails from mailboxes (use safe deletion tools).
• Clean infected hosts (re-image if compromise confirmed).
• Restore files from backups if needed.
• Re-enable services only after validation and root-cause remediation.

D. Notification & reporting

• Internal: SOC, IT ops, InfoSec leadership, HR (if needed), legal (if PII involved), and the affected business unit.
• External: Customers, partners, or regulators only after legal/leadership approves. Use pre-approved external statements.

E. Post-incident

• Conduct an after-action with timeline, root cause, and recommended controls.
• Update the phishing playbook and mail gateway rules.
• Run targeted user training for impacted users.

 Response templates

Internal immediate alert (short)

Subject: [ACTION REQUIRED] Suspected Phishing — [User] / [Ticket#]

Team,

[User] reported a suspected phishing email at [timestamp]. Initial classification: [phishing / credential harvest / malicious attachment]. 
Containment actions taken: [email quarantined / blocked sender / forced password reset for X]. 
Investigation in progress — SOC lead: [name]. Please stand by for updates.

— InfoSec

User-facing notification (if user clicked but no confirmed compromise)

Subject: Security Notice — Potential Phishing Email

Hi [User],

You recently reported a suspicious email sent to your account at [time]. We’ve quarantined the message and reviewed your account activity. At this time, we do not see evidence of account compromise.

Out of caution, please:
1. Change your password now.
2. Confirm you did NOT enter credentials into any webpage linked from that email.
3. If you did enter credentials, reply immediately and we will force a password reset and enable extra checks.

If you notice any unusual activity (password prompts, unexpected multi-factor prompts, or unexpected messages), contact IT immediately.

— Security Team

External statement (short, legal/PR revision required)

We identified a targeted phishing campaign that affected a limited number of employee inboxes. We contained the campaign, reset affected credentials, and are working with authorities where appropriate. No customer systems were accessed. We will provide additional updates as available.

Forensic evidence list (what to collect)

• Raw email source (headers + body) and attachment files.
• Mail gateway logs (message IDs, transport path, delivery decisions).
• EDR alerts and full host forensic images (if malware suspected).
• Authentication logs (success/failure, unusual geolocation, agent).
• Web proxy logs for accessed URLs.
• DNS logs for lookups to suspicious domains.
• Any user-provided screenshots or copies.

 Investigation play sequence (example timeline)

1. 09:00 — User A reports suspicious email & attaches screenshot.
2. 09:05 — SOC extracts raw email; SPF/DKIM failed; domain spoofed.
3. 09:10 — Mail gateway quarantines identical messages for 12 other users.
4. 09:12 — SOC blocks sender domain & associated IPs at perimeter.
5. 09:20 — Search reveals one user clicked a link and submitted credentials to fake page. Credentials used at 09:22 from new IP.
6. 09:25 — Force reset on compromised account; enable MFA; isolate host.
7. 09:40 — Forensic analysis of host shows no malware; further monitoring for lateral activity.
8. 10:00 — User notification sent; IOC list added to detection rules.

Short role-play simulation (exercise)

Scenario: Finance team receives an email “Invoice overdue — pay now” with an attachment “Invoice_123.docx”.
Exercise steps for analyst trainee:

1. Receive user report and capture raw email.
2. Validate sender (SPF/DKIM), scan attachment in sandbox.
3. Block sender & quarantine similar messages.
4. If user opened attachment, check EDR for process spawn; isolate host if necessary.
5. Prepare user notification and incident report.

Expected trainee actions (checklist):

• Collected headers and attachment ✔
• Searched for other recipients ✔
• Quarantined message and blocked domain ✔
• Forced reset if credential exposure discovered ✔
• Wrote incident summary and recommendations ✔

Grading rubric (for the drill)

• Evidence collection (30%): Raw headers, mail gateway search, attachments saved.
• Containment speed (20%): Sender blocked, messages quarantined, account resets performed.
• Forensics (20%): EDR/log review, host isolation when needed, IOC extraction.
• Communication (15%): Clear internal and user notifications sent with next steps.
• Post-action (15%): Remediation tasks, playbook updates, follow-up training scheduled.

Pass: ≥ 75%

Suggested improvements & mitigations (controls)

• Enforce MFA everywhere possible.
• Implement URL-wrapping / time-of-click protection in email gateway.
• Tighten SPF/DKIM/DMARC and reject failing mail.
• Train users with simulated phishing campaigns and immediate feedback.
• Monitor for unusual password resets or login patterns (UEBA).
• Implement least-privilege and segmentation to limit lateral movement.

Short incident report template (one page)

Incident ID:
Date/time reported:
Reporter:
Summary:
Classification (phish/credential harvest):
Affected users/accounts:
Containment actions:
Forensic findings:
Impact assessment:
Remediation actions completed:
Open actions / follow-ups:
Lessons learned:

If you want, I can:

• Turn the role-play into a timed lab with exact logs and a red-team email (realistic headers + malicious URL) you can hand to trainees; or
• Produce a polished slide deck of this playbook for training; or
• Generate an automated SOC playbook in (pseudo)JSON or a runbook format for your ticketing/SOAR tool.