IT Triage for Phishing Reports

<aside> 🚨

This process ensures IT can handle phishing reports effectively while leveraging expert cybersecurity support from Kmicro SOC.

</aside>

When the IT Dept receives a phishing report, they should follow these steps to triage and escalate effectively:

1. Acknowledge Receipt

• Send a quick acknowledgment to the reporting staff member to confirm their email was received (e.g., “Thank you for reporting this. We are reviewing the issue.”).

<aside> ⏩

Forward the email to [email protected] if a ticket has not already been created, to ensure proper documentation.

</aside>

2. Perform Basic Checks

• Examine the Email Headers:

• Verify the sender’s IP address and domain.

• Look for spoofing signs or mismatched domains.

• Check Links or Attachments (Safely):

• DO NOT click links or open attachments directly.

• Use a secure sandbox or tools like VirusTotal to scan URLs or attachments.

• Identify Patterns:

• Determine if this email is part of a larger phishing campaign targeting other users in the organization.

3. Search for Impact Across the Organization

• Use your email gateway logs to identify if other staff members have received the same email.

• Check for any reports of unusual activity in related accounts (e.g., failed logins, suspicious access).

4. Forward to Cybersecurity Experts

• After completing the above checks, escalate to your cybersecurity team at [email protected].

• Attach the original email (use “Forward as Attachment” to preserve metadata).

• Include a summary of your findings:

• Sender’s email address and domain.

• Suspicious links or attachments.

• Whether other employees received similar emails.

• Any potential indicators of compromise (IOC).

5. Contain and Mitigate

While waiting for SOC feedback, take proactive steps to minimize risk:

• Block the Sender’s Email Address:

• Use the email security platform to blacklist the sender or domain.

• Warn Staff (If Necessary):

• Send an advisory to staff if the phishing campaign appears widespread (e.g., “Do not open emails with the subject line ‘Urgent Invoice.’”).

• Monitor Systems for Unusual Activity:

• Keep an eye on logs for suspicious login attempts or data transfer.

6. Follow SOC Guidance

Once SOC responds:

• Implement their recommendations, such as blocking domains, resetting credentials, or initiating further incident response steps.

• Update internal documentation with any newly identified IOCs or preventive measures.

7. Log and Close the Ticket

• Document the incident in your ticketing system, including:

• Details of the phishing attempt.

• Steps taken by IT and SOC.

• Any follow-up actions required.

• Notify the reporting staff member that the issue has been addressed.