respond-phishing
$
npx mdskill add dandye/ai-runbooks/respond-phishingExecute PICERL phishing response to block threats and remove emails.
- Extracts malicious URLs and IOCs from reported phishing emails.
- Identifies affected users and those who clicked malicious content.
- Blocks confirmed indicators at email gateways and firewalls.
- Reports categorized findings and removed artifacts to the case.
SKILL.md
.github/skills/respond-phishingView on GitHub ↗
---
name: respond-phishing
description: "Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes."
required_roles:
chronicle: roles/chronicle.editor
soar: roles/chronicle.soarAdmin
gti: GTI Enterprise
personas: [incident-responder]
---
# Phishing Incident Response Skill
Structured workflow for responding to reported phishing emails using the PICERL model.
## Inputs
- `CASE_ID` - SOAR case ID for the incident
- `ALERT_GROUP_IDENTIFIERS` - Alert group identifiers from SOAR
- `REPORTED_EMAIL_ARTIFACTS` - Information about the email:
- Email headers
- Email body
- Attached files (hashes)
- URLs in email
- Recipient user ID(s)
- Sender address/domain
## Required Outputs
**After completing each phase, you MUST report these outputs:**
### Identification Phase
| Output | Description |
|--------|-------------|
| `PHISHING_URLS` | URLs extracted from email body |
| `PHISHING_IOCS` | Confirmed malicious indicators (URLs, domains, hashes) |
| `AFFECTED_USERS` | All users who received the email |
| `CLICKED_USERS` | Users who clicked/interacted with malicious content |
| `PHISHING_CATEGORY` | Type: credential phish, spear phishing, BEC, malware delivery |
### Containment Phase
| Output | Description |
|--------|-------------|
| `BLOCKED_IOCS` | IOCs blocked at email gateway/proxy/firewall |
| `CONTAINED_USERS` | User accounts with restrictions applied |
| `ISOLATED_ENDPOINTS` | Endpoints isolated due to suspicious activity |
### Eradication Phase
| Output | Description |
|--------|-------------|
| `DELETED_EMAILS` | Count of malicious emails removed from mailboxes |
| `QUARANTINED_EMAILS` | Emails moved to quarantine |
### Recovery Phase
| Output | Description |
|--------|-------------|
| `RESTORED_ACCOUNTS` | User accounts restored to normal access |
| `USER_NOTIFICATIONS` | Users notified of incident and required actions |
## PICERL Phases
### Phase 2: Identification
**Step 2.1: Get Context & Check Duplicates**
```
secops-soar.get_case_full_details(case_id=CASE_ID)
```
Use `/check-duplicates`.
**Step 2.2: Analyze Email Artifacts**
Extract from email:
- All URLs → `EXTRACTED_URLS`
- Sender domain/IP
- Attachment hashes → `EXTRACTED_HASHES`
- Reply-to addresses
- Header anomalies (SPF/DKIM failures)
**Step 2.3: Enrich Extracted IOCs**
For each IOC (URLs, domains, IPs, hashes):
Use `/enrich-ioc`:
```
/enrich-ioc IOC_VALUE IOC_TYPE
```
Identify confirmed malicious IOCs → `MALICIOUS_IOCs`.
**Step 2.4: Categorize Phishing Type**
| Category | Indicators |
|----------|------------|
| **Generic Credential Phish** | Broad targeting, brand impersonation (Microsoft, Google) |
| **Spear Phishing** | Personalized, targets specific individuals |
| **Whaling** | Targets executives |
| **BEC** | Wire transfer requests, no malicious links |
| **Brand Impersonation** | Mimics known brands |
| **Malware Delivery** | Focus on attachments or download links |
Document: `PHISHING_CATEGORY`
**Step 2.5: Search for Related Activity (SIEM)**
```
secops-mcp.search_security_events(
text="Network connections or DNS to MALICIOUS_IOCs",
hours_back=72
)
```
Look for:
- Other emails with same subject/sender
- URL clicks to malicious URLs
- File executions of malicious hashes
- Suspicious activity from recipients
**Step 2.6: Identify Impact**
- `SIMILAR_EMAIL_RECIPIENTS` - Who else received it
- `POTENTIAL_COMPROMISED_USERS` - Who clicked/interacted
- `SUSPICIOUS_ENDPOINTS` - Endpoints with related activity
**Step 2.7: Document Identification**
Use `/document-in-case` with findings.
---
### Phase 3: Containment
**Step 3.1: Block Network IOCs**
For each IOC in `MALICIOUS_IOCs`:
Use `/confirm-action`:
> "Block domain/IP/URL [VALUE]?"
If confirmed, implement blocks at:
- Email gateway
- Web proxy
- Firewall
- DNS
**Step 3.2: Contain Potentially Compromised Users**
For each user in `POTENTIAL_COMPROMISED_USERS`:
Trigger `/respond-compromised-account`
**Step 3.3: Isolate Suspicious Endpoints**
For each endpoint in `SUSPICIOUS_ENDPOINTS`:
Use `/confirm-action`:
> "Isolate endpoint [HOSTNAME]?"
**Step 3.4: Verify Containment**
Monitor for continued activity to blocked IOCs.
Use `/document-in-case` with containment status.
---
### Phase 4: Eradication
**Step 4.1: Delete Malicious Emails**
*(Requires Email Gateway/Platform tools)*
Search all mailboxes for:
- Same subject line
- Same sender
- Contains malicious URLs/attachments
Delete/quarantine identified emails.
Document count of emails removed.
**Step 4.2: Address Malware (If Applicable)**
If phishing led to malware execution:
→ Trigger `/respond-malware`
**Step 4.3: Document Eradication**
Use `/document-in-case` with email deletion counts and actions.
---
### Phase 5: Recovery
**Step 5.1: User Account Recovery**
If accounts disabled during containment:
- Verify threat is removed
- Re-enable accounts
- Force password change if credentials potentially compromised
**Step 5.2: Endpoint Recovery**
If endpoints isolated:
- Verify clean before reconnecting
- Follow malware response recovery if infected
**Step 5.3: Validate Countermeasures**
After lifting blocks, verify legitimate traffic isn't blocked.
**Step 5.4: User Communication**
Notify affected users:
- What happened
- Actions taken
- What they should do (change passwords, be vigilant)
---
### Phase 6: Lessons Learned
Use `/generate-report` with:
- Phishing category
- Impact assessment
- Response timeline
- Emails deleted count
- Recommendations
Conduct review:
- How did it bypass email filters?
- Detection effectiveness
- User awareness gaps
- Recommended filter/rule updates
---
## Critical Warnings
- **DO check** who else received the email
- **DO NOT leave** malicious emails in mailboxes
- **DO NOT block** legitimate business domains (verify first)
- **VERIFY** extracted domains against company-owned domains list
## Phishing Response Checklist
- [ ] Email artifacts analyzed
- [ ] IOCs enriched and categorized
- [ ] All recipients identified
- [ ] Click/interaction assessed
- [ ] Malicious IOCs blocked
- [ ] Compromised users contained
- [ ] Malicious emails deleted from ALL mailboxes
- [ ] Users notified
- [ ] Report generated
More from dandye/ai-runbooks
- analyze-content-gapsIdentify content gaps and organizational opportunities. Analyzes missing content areas, redundancies, and consolidation opportunities.
- audit-contentComprehensive content quality and maintenance assessment. Evaluates documentation quality, relevance, maintenance needs, and provides actionable recommendations.
- check-duplicates"Check for duplicate or similar cases. Use before deep analysis to avoid investigating the same incident twice. Takes a CASE_ID and returns list of similar cases."
- close-case-artifact"Close a case or alert with proper reason and documentation. Use when triage determines an alert is FP/BTP or investigation is complete. Requires artifact ID, type, closure reason, and root cause."
- cluster-documentsAutomated content similarity and grouping analysis. Groups related documents by topic, purpose, or content similarity.
- confirm-action"Ask the user to confirm before taking a significant action. Use before containment, remediation, or other impactful operations to ensure analyst approval. Presents options and waits for response."
- correlate-ioc"Check for existing SIEM alerts and case management entries related to IOCs. Use to understand if an indicator has triggered previous alerts or is part of ongoing investigations. Takes IOC list and returns related alerts and cases."
- deep-dive-ioc"Perform exhaustive analysis of a critical IOC. Use when an IOC needs Tier 2+ investigation beyond basic enrichment - includes GTI pivoting, deep SIEM searches, correlation with related entities, and threat attribution. For escalated IOCs requiring comprehensive investigation."
- design-metadata-schemaDesign comprehensive metadata frameworks. Develops structured metadata templates and tagging systems.
- document-in-case"Add a comment to a case to document findings, actions, or recommendations. Use to maintain audit trail during investigations. Requires CASE_ID and comment text."