Phishing Incident 101

Ryan McGeehan
Jun 15, 2015 · 8 min read

How big was this attack?

Our first goal is to understand the breadth of the attack while we create a checklist of items that will eradicate the breach.

Image for post
Image for post
The SEA phish against the Onion
  • emails from “mpyisi”
  • emails from
  • emails with “Thanks & Regards” within this timeframe
  • emails with that URL?
  • emails with that anchor text?
  • emails with undisclosed recipients within this time window?
Image for post
Image for post
There’s always more than one phish, it’s a matter of time.

Are there upcoming phishing sites?

You may only be seeing the very beginnings of a string of attacks against your employees. Open source intelligence may reveal other phishing sites or command and controls that could be used in future attacks against yourself or others. If not, it never hurts to understand the adversary’s infrastructure.

Was there an attachment?

To accomplish any goal, an attack will either social engineer a victim with manipulating conversation, drop malware on a machine with an attachment or exploit, or manipulate the user into sharing credentials with a spoofed page.

What does the malware do?

This is hard if you’re unprepared, but a DIY investigation of malware would require an airgapped laptop and the ability to do network traffic analysis. Or use a tool like Malwr.

  • Any specific credential targets
  • Persistence characteristics, like a launchd entry

What’s happening to my network?

Keep a running list of any suspicious domains or IP addresses were used for a phishing site, landing page, or command and control. These are called Indicators of Compromise and help discover hosts the bad guys have captured.

What credentials were targeted?

Were Twitter logins targeted, or an internal tool? Depending on what was targeted and the attacks success you will want to consider shutting down general access to these tools or websites. Of course - you can’t shut down Twitter, but you may be able to temporarily deny browser access to it for a short timeframe while you try to understand what’s going on.

Should you enforce multifactor?

Multifactor is not an all-in-one defense against active threat phishing attacks. Any decent phish will very easily steal most second factors as well (Google Authenticator, for example). However, MFA does box in an attack by denying access to other hosts with the same password, and time boxing a bad guy’s potential access to within seconds which is good for forensic follow up.

Did password resets destroy sessions?

An extremely common vulnerability is mishandling of password resets. Password resets are frequently in response to an account takeover. You need to make sure the reset flow also destroyed all current sessions. If you need to write any tools or scripts that massively reset passwords outside of the typical user flow — make sure you’re destroying current sessions as well. Otherwise, the attacker will just hang out and keep wrecking houses with their current session despite the user’s new password.

Am I ready to contain the attack?

It is impossible to say when you should start containment as every attack is different. Depending on your risks and tolerance of risk, you may want to take early measures to contain the attack. Deleting known phishing emails from inbox is a common one. However, blocking access to tools or wiping malware too early may simply be inefficient until you know more about how successful the bad guys were.


You can’t really prevent phishing, but you can reduce the consequences of successful attacks. A quick response is sometimes the only answer. I wrote a lot about overall security practices here. If you‘re specifically concerned about spear phishing, here are the big ticket items.


Employees need a place to report scary things. They need to know where they can freak out. Set up a mailing list, a slack / hipchat / irc channel, or some other kind of on-call. Then reward people who find bad shit. Make sure they all know it as well as 911.

Never punish a false positive. Do not become a scary authority figure.

If your culture allows it, there’s no problem with some satire to keep everyone level headed. Addresses like panic@, freakout@, snafu@ all work, or the more traditional cert@ or security@.

Multi Factor Everything

A 20 character random password is just as vulnerable as “12345” once it’s phished. Basic passwords are extremely vulnerable for way too many reasons. Complexity rules are important, but not as important as a second factor.

Password Manage Everything

In addition to a second factor, password uniqueness is critical. LastPass, 1Password, Okta, Meldium, OneLogin, etc, are all password manager and Single-Sign On providers that help consolidate the password problem in different ways by managing complex passwords across many places, or consolidating a single strong authentication point across many places.

Modern Browsers

Chrome is simply the most secure browser due to massive security investment by Google. Configure “Click to Play” on the browser to prevent the vast majority of exploits.

Managed Endpoints

If you can’t search your laptop fleet for a piece of malware, then you’ll be walking desktop to desktop removing malware manually. Or, you’ll end up wiping everything instead, which isn’t pleasant.

Email Delivery Policies

Delivery polices make it significantly harder for the bad guys to spoof your corporate email address without typo-jacking the domain. They’ll end up having to spoof something else entirely, which is not as effective as spoofing a teammate on your own brand. Look into setting up SPF / DKIM / DMARC in DNS, with email delivery signing your outbound emails.


I’m a security guy, former Facebook, Coinbase, and currently an advisor and consultant for a handful of startups. Incident Response and security team building is generally my thing, but I’m mostly all over the place.

Starting Up Security

Guides for the growing security team

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store