Conducting Phishing Incident Response When to Use - A user reports receiving a suspicious email via the phishing report button or abuse mailbox - Email gateway detects a malicious email that bypassed initial filtering - Threat intelligence indicates an active phishing campaign targeting the organization - A user confirms they clicked a link or opened an attachment from a suspicious email - Credentials have been entered on a suspected phishing page Do not use for business email compromise (BEC) involving compromised internal accounts; use BEC response procedures which focus on account takeover…