Phishing Investigation and Response
This playbook investigates and remediates phishing emails with Admin approval.
This content is not mapped to any local saved search. Add mapping
How to Implement
This playbook examines the artifacts from an ingested email and performs various reputation checks against the data present. Additional decisions are triggered if further contextual data is needed, i.e. detonating an attachment in a sandbox if there is no information returned from a file reputation lookup. Ultimately this playbook will prompt an analyst with the output from the reputation lookups and let them decide whether or not the email should be deleted.
How To Respond
A phishing investigation in Phantom is typically triggered by ingesting emails from a specific inbox that users can forward suspicious emails to. This playbook can also be used with email gateways to investigate the output of any suspicious emails.
Phishing Investigation and Response Help
Simply deploy Phantom and work with your technical team to deploy this.