AntiPhishers Corporate Phishing Incident Response Plan
Corporate Phishing Incident Response Plan
A documented incident response (IR) plan reduces the average cost of a data breach by $2.66 million according to IBM’s 2024 Cost of a Data Breach Report. For phishing — the most common initial attack vector — having a rehearsed, step-by-step plan is the difference between a contained incident and a catastrophic breach. NIST SP 800-61 Revision 3, finalized in April 2025, provides the updated framework that every organizational plan should build on.
Why Phishing Needs Its Own IR Playbook
Generic incident response plans cover phishing as one scenario among many. But phishing accounts for the majority of initial compromises, involves unique human factors, and follows a predictable attack chain that enables specific countermeasures. A dedicated phishing IR playbook allows faster triage, clearer escalation paths, and better metrics.
The Phishing Incident Response Lifecycle
NIST SP 800-61r3 aligns with the Cybersecurity Framework 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. Here is how each applies to phishing.
Phase 1: Preparation
Preparation determines response speed. Before the first phishing email arrives:
Technical preparation:
- Deploy email authentication (DMARC/SPF/DKIM) at enforcement level
- Configure email gateway with URL sandboxing and attachment detonation
- Enable MFA on all accounts, preferably phishing-resistant (FIDO2/passkeys)
- Establish centralized logging for email, authentication, and endpoint activity
- Deploy a phishing report button in all email clients
Human preparation:
- Designate a phishing triage team with clear on-call rotation
- Create escalation criteria (when does a phishing report become an incident?)
- Train all employees on recognition and reporting through phishing simulation
- Pre-establish communication templates for incident notifications
- Conduct quarterly tabletop exercises focused on phishing scenarios
Phase 2: Detection and Analysis
Detection starts when a phishing email is reported or detected by automated systems.
Triage checklist (target: under 15 minutes):
- Examine email headers for authentication results (SPF/DKIM/DMARC)
- Analyze URLs using sandbox tools (VirusTotal, URLScan.io)
- Check attachment hashes against threat intelligence feeds
- Determine if anyone clicked the link or opened the attachment
- Search mail logs for the same sender/subject/URL across the organization
- Classify severity:
| Severity | Criteria | Response Time |
|---|---|---|
| Low | Reported but no one clicked | Same business day |
| Medium | One or more users clicked but did not enter credentials | Within 2 hours |
| High | Credentials entered or malware executed | Within 30 minutes |
| Critical | Multiple compromised accounts or active data exfiltration | Immediate |
Phase 3: Containment
Containment speed directly correlates with breach cost. IBM found that breaches contained in under 200 days cost $1.02 million less than those taking longer.
Immediate containment actions:
- Block the sender domain/address at the email gateway
- Block the phishing URL at the web proxy and DNS filter
- Quarantine unread copies of the phishing email from all inboxes
- Disable compromised accounts and force password resets
- Revoke active sessions and OAuth tokens for compromised accounts
- Check for email forwarding rules added by attackers
Network containment:
- Isolate endpoints showing indicators of compromise
- Block command-and-control (C2) IP addresses and domains at the firewall
- Monitor for lateral movement using endpoint detection and response (EDR)
Phase 4: Eradication
Once contained, remove the threat completely:
- Delete all instances of the phishing email from mail systems
- Remove malware from affected endpoints (reimage if necessary)
- Delete unauthorized accounts, forwarding rules, and OAuth applications
- Patch any vulnerabilities exploited during the attack
- Update email filtering rules to detect variations of the attack
- Share indicators of compromise (IOCs) with your information sharing community
Phase 5: Recovery
Restore normal operations with enhanced monitoring:
- Re-enable accounts with new credentials and verified MFA
- Restore systems from clean backups if compromised
- Increase logging verbosity on previously affected systems for 30 days
- Monitor for re-compromise attempts using the same or similar TTPs
- Confirm that business operations have fully resumed
Phase 6: Post-Incident Activity
Post-incident review transforms each phishing incident into organizational improvement.
Conduct a lessons-learned meeting within 5 business days:
- What was the attack vector and technique?
- How was it detected? (User report, automated detection, or both?)
- What was the time-to-detection and time-to-containment?
- What controls failed? What controls worked?
- What changes would improve the response?
Update documentation:
- Revise the IR playbook based on lessons learned
- Update detection rules and email filtering policies
- Adjust security awareness training to address the specific technique used
- File reports with IC3, CISA, and relevant sector ISACs
Metrics That Matter
Track these key performance indicators to measure and improve your phishing IR capability:
| Metric | Target | Why It Matters |
|---|---|---|
| Mean time to detect (MTTD) | Under 5 minutes | Faster detection = less exposure |
| Mean time to contain (MTTC) | Under 60 minutes | Containment speed drives breach cost |
| Phishing report rate | Over 70% | Measures employee awareness |
| False positive rate | Under 30% | Excessive false positives cause alert fatigue |
| Repeat click rate | Under 3% | Measures training effectiveness |
Scaling for Small Businesses
Small businesses without dedicated security teams can still implement effective phishing IR. See our small business phishing guide for scaled-down procedures. Key adaptations:
- Designate one person as the phishing point of contact
- Use cloud email provider built-in protections (Microsoft Defender, Google Workspace security)
- Establish a relationship with a managed security service provider (MSSP) for incident support
- Keep a one-page quick-response card posted at every workstation
Key Takeaways
- A documented phishing IR plan reduces average breach costs by $2.66 million
- The six-phase lifecycle (prepare, detect, contain, eradicate, recover, review) provides complete coverage
- Severity classification enables proportional response and resource allocation
- Post-incident review is mandatory — it transforms every incident into improved defense
- Even small businesses can implement effective phishing IR with scaled-down procedures
For the comprehensive phishing defense overview, see our phishing recognition and reporting guide.
Sources
- NIST SP 800-61 Rev. 3: Incident Response Recommendations
- CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
- FBI IC3 2024 Internet Crime Report
Security education disclaimer: This article discusses incident response procedures for educational purposes. Organizations should adapt these guidelines to their specific environment, regulatory requirements, and risk profile. Consult a qualified cybersecurity professional for implementation.