/en/tags/phishing/Recent content in Phishing on Suspicious BytesHugoen-USThu, 21 May 2026 00:00:00 +0000/en/posts/anatomy-of-a-phishing-incident/Thu, 21 May 2026 00:00:00 +0000/en/posts/anatomy-of-a-phishing-incident/<p>Most intrusions still start with someone clicking a link. This is a sanitised walk-through of a credential-phishing case and the timeline that mattered.</p> <h2 id="the-timeline">The timeline</h2> <p>Incident response lives and dies by an accurate timeline. Reconstruct it before you theorise:</p> <ol> <li><strong>08:42</strong> — user reports a &ldquo;mailbox full&rdquo; email</li> <li><strong>08:55</strong> — same template seen by twelve other recipients</li> <li><strong>09:10</strong> — one set of credentials submitted to the fake portal</li> <li><strong>09:13</strong> — successful logon from a foreign ASN</li> </ol> <blockquote> <p>The goal of triage is not to find everything. It is to answer one question fast: did anything actually succeed?</p>