top of page

Phishing Incident Response Plan: Remediation stage

As a part of your Phishing Incident Response plan, the remediation stage is vital. This stage is where your MSP or your client’s IT team will launch your efforts to respond to a potential disruption. The response to these attacks has consequences, consider timing and tradeoffs for these actions before implementation.

1. Contain the affected accounts

  1. Change the login credentials for affected users, or instruct those with affected accounts to change their credentials.

  2. Reduce impacted account access to critical services, systems, or data until the investigation is complete

  3. Reinforce multi-factor authentication (MFA) policies, or encourage users to add MFA if it’s not in your current policy.

2. Block activity based on what you learned in the Investigation stage.

  1. Malicious domains using DNS, firewalls, or proxies

  2. Messages with similar senders, message bodies, subjects, links, attachments, etc., using email gateway or service.

3. Implement a forensic hold or retain forensic copies of the reported phishing messages

4. Purge related messages from other user inboxes, or otherwise make the messages inaccessible

5. If the phishing incident resulted in a broader compromise or breach beyond the initial phishing attack, take action to limit the impact and scope of the compromise by following the procedures outlined in your team’s general incident response plan.

6. Consider mobile device containment measures such as wiping via mobile device management (MDM). Balance this against the investigative and forensic impact.

7. Increase your overall detection "alert level" for potential breaches related to the phishing attack. This may include enhanced monitoring from related accounts, domains, or IP addresses.

8. Consider outside security assistance to support your investigation and/or remediation

9. Confirm that relevant software upgrades/updates and anti-malware updates on assets are up to date.

These steps do not need to be accomplished in a particular order and if possible should be executed in tandem.

Ensure your team is following your general incident response plan in addition to your phishing incident response plan to cover the most ground. The next step in the phishing response plan covers your team’s communication procedures.

Building a comprehensive Phishing Incident Response plan with your clients can save both you and your client valuable time. Download the Phishing Incident Response workbook, to create each of your client’s unique phishing incident response plan.

We’ll guide you through the four stages of phishing incident response: investigation, recovery, communication and remediation and provide helpful resources that give you the information you and your clients need to respond to a phishing incident.


Learn more about HacWare: MSP partners can decrease the likelihood their end users will click on a phishing email by 60%. Let us help you empower your client's end users with automated, AI-driven phishing simulations and under three-minute micro-trainings to build them into your client's first line of defense against cyber attacks.

Learn more about our partner program and how we can support your MSP's growth!

bottom of page