conducting-phishing-incident-response

Featured

Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email incident, credential phishing, spear phishing investigation, or phishing remediation.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Conducting Phishing Incident Response ## When to Use - A user reports receiving a suspicious email via the phishing report button or abuse mailbox - Email gateway detects a malicious email that bypassed initial filtering - Threat intelligence indicates an active phishing campaign targeting the organization - A user confirms they clicked a link or opened an attachment from a suspicious email - Credentials have been entered on a suspected phishing page **Do not use** for business email compromise (BEC) involving compromised internal accounts; use BEC response procedures which focus on account takeover investigation. ## Prerequisites - Email security gateway with message trace and quarantine capabilities (Microsoft Defender for Office 365, Proofpoint, Mimecast) - Microsoft 365 admin access or Google Workspace admin for mailbox search and purge - Malware sandbox for attachment and URL analysis (ANY.RUN, Joe Sandbox, Hybrid Analysis) - Email header analysis tools (MXToolbox Header Analyzer, Google Admin Toolbox) - Identity provider access for account remediation (Azure AD, Okta, Duo) - Phishing report intake process (dedicated mailbox or integrated report button) ## Workflow ### Step 1: Receive and Triage the Phishing Report Evaluate the reported email to determine if it is malicious: - Extract the email as an .EML or .MSG file (preserves headers) - Analyze email headers to determine the true sender, relay path, and authentication results ``` Email Header Analysis Chec...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Integrates with

Azure · Cloud

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

investigating-phishing-email-incident

Investigates phishing email incidents from initial user report through header analysis, URL/attachment detonation, impacted user identification, and containment actions using SOC tools like Splunk, Microsoft Defender, and sandbox analysis platforms. Use when a reported phishing email requires full incident investigation to determine scope and impact.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-spearphishing-with-email-gateway

Spearphishing targets specific individuals using personalized, researched content that bypasses generic spam filters. Email security gateways (SEGs) like Microsoft Defender for Office 365, Proofpoint,

12,642 Updated today
mukul975
AI & Automation Featured

building-phishing-reporting-button-workflow

Implement a phishing report button in email clients with automated triage workflow that analyzes user-reported suspicious emails and provides feedback to reporters.

12,642 Updated today
mukul975
AI & Automation Featured

conducting-malware-incident-response

Responds to malware infections across enterprise endpoints by identifying the malware family, determining infection vectors, assessing spread, and executing eradication procedures. Covers the full lifecycle from detection through containment, analysis, removal, and recovery. Activates for requests involving malware response, malware eradication, trojan removal, worm containment, malware triage, or infected endpoint remediation.

12,642 Updated today
mukul975
AI & Automation Featured

executing-phishing-simulation-campaign

Executes authorized phishing simulation campaigns to assess an organization's susceptibility to email-based social engineering attacks. The tester designs realistic phishing scenarios, builds credential harvesting infrastructure, sends targeted phishing emails, and tracks open rates, click-through rates, and credential submission rates to measure human security awareness. Activates for requests involving phishing simulation, social engineering assessment, email security testing, or security awareness measurement.

12,642 Updated today
mukul975