Phishing Investigation and Response


This playbook investigates and remediates phishing emails with Admin approval.

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring, Advanced Threat Detection, SOC Automation


Account Compromise, Adversary Tactics, Phishing

Security Impact

Phishing emails can be detrimental to an organization if not detected. Investigating each email can be time consuming as an analyst may need to investigate what is in the body of the email, but also the attachments, as well as any users that may have received the email. By automating the investigation, analysts can respond much faster to these attacks.

Alert Volume

Very Low


Stage 5

Data Sources


   How to Implement

This playbook examines the artifacts from an ingested email and performs various reputation checks against the data present. Additional decisions are triggered if further contextual data is needed, i.e. detonating an attachment in a sandbox if there is no information returned from a file reputation lookup. Ultimately this playbook will prompt an analyst with the output from the reputation lookups and let them decide whether or not the email should be deleted.

   How To Respond

A phishing investigation in Phantom is typically triggered by ingesting emails from a specific inbox that users can forward suspicious emails to. This playbook can also be used with email gateways to investigate the output of any suspicious emails.


Phishing Investigation and Response Help

Simply deploy Phantom and work with your technical team to deploy this.

Screenshot of Demo Data