Scribd
Upload
63 views1 page

Phishing Attack Response Steps

Block the phishing URL and sender's email address on firewalls and antivirus endpoints. Conduct searches to identify users who opened or received the malicious email and purge it from all inboxes. Reset passwords for affected users, log them out of active sessions, and notify them to set up multi-factor authentication. Additionally, delete suspicious inbox and forwarding rules, search for outbound emails from hacked accounts, and alert external clients who may have received malicious messages.

Uploaded by

SatM
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
63 views1 page

Phishing Attack Response Steps

Block the phishing URL and sender's email address on firewalls and antivirus endpoints. Conduct searches to identify users who opened or received the malicious email and purge it from all inboxes. Reset passwords for affected users, log them out of active sessions, and notify them to set up multi-factor authentication. Additionally, delete suspicious inbox and forwarding rules, search for outbound emails from hacked accounts, and alert external clients who may have received malicious messages.

Uploaded by

SatM
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

How to Respond to

a Phishing Attack?
What to do right after your end-users got hit with phishing:

`` Block the phishing URL on Firewalls, AV endpoints


`` Block the sender’s email
`` Conduct an email compliance search to return lists of users who opened/received
the email
`` Purge the malicious email from all email inboxes
`` Reset affected users’ passwords and log them out of active sessions (based on the
report from step 3):
`` If a small subset of users is affected:
`` Reach out to affected users by phone to reset password
`` If users reach out first, confirm identity by calling the user back using the
phone number on record
`` If the affected pool is larger:
`` Reset affected users’ passwords using the “change on login” option and export
the list of generated passwords. Notify a supervisor by phone with a list of affected
users and generated passwords, and by message prompt on computers
`` Run a search for inbox rules and forwarding rules and delete suspicious rules:
`` Rules that forward the email to external domains
`` Rules that move, delete or block messages
`` Check the creation date and rule description that matches suspicious actions
(these will usually have similar names as the inbox rules); it should be easy to
determine that it was created by a bot and not by a human
`` Run a search for mail sent out from possibly hacked accounts:
`` Instruct affected users to reach out to clients by email and phone alerting them of
malicious emails that may have been sent out from their accounts
`` Turn on MFA for compromised accounts and provide a guide to users to get them
properly set up

For more details on each step please refer to Phishing Response Guide

You might also like