Anatomy of a Phishing Incident
Most intrusions still start with someone clicking a link. This is a sanitised walk-through of a credential-phishing case and the timeline that mattered.
The timeline
Incident response lives and dies by an accurate timeline. Reconstruct it before you theorise:
- 08:42 — user reports a “mailbox full” email
- 08:55 — same template seen by twelve other recipients
- 09:10 — one set of credentials submitted to the fake portal
- 09:13 — successful logon from a foreign ASN
The goal of triage is not to find everything. It is to answer one question fast: did anything actually succeed?
Pulling the headers
Start with the raw message. Authentication results separate spoofs from look-alike domains:
# Extract the relevant authentication headers from a saved .eml
grep -iE 'authentication-results|received-spf|dkim|return-path|^from:' message.eml
Containment checklist
| Action | Owner | When |
|---|---|---|
| Revoke active sessions | IT / IAM | immediately |
| Force password reset | IT / IAM | immediately |
| Block sender + URL | Mail / proxy | within 1h |
| Hunt for inbox rules | SOC | same day |
Attackers often create a hidden inbox rule to auto-delete replies and hide their tracks. Always check for new rules — closing the front door means nothing if a window is still open.