Lesson 34 of 60 intermediate

Phishing, Malware & Ransomware — First 10 Minutes

What the first 10 minutes must look like

Open interactive version (quiz + challenge)

Real-world analogy

Responding to an incident is like reacting to a grease fire in the kitchen. You don’t call a food critic — you cut the heat, cover the pan, move people away, and document what burned. Fast, calm, reversible.

What is it?

Incident response basics for common end-user security events. You don’t have to be a senior SOC analyst. You have to know the first 10 minutes — isolate, preserve, notify — and stay out of the way of seniors.

Real-world relevance

A finance user reports a suspicious email. You pull headers, see it’s a credential phish from a lookalike domain. You block the sender/URL, purge copies from all inboxes, reset the credentials of two users who clicked, review sign-in logs (no foreign logins), and email a short awareness note. Total time: 40 minutes.

Key points

Recognize the family — Phishing: tricks a user into giving credentials or running a file. Malware: broad category; includes trojans, spyware, droppers. Ransomware: malware that encrypts data and demands payment. Response priorities differ.
Phishing response in 10 minutes — (1) Confirm the report. (2) Capture the email with headers. (3) Search mail system for similar deliveries. (4) Block sender/URL at gateway. (5) Reset credentials of anyone who clicked. (6) Review sign-in logs. (7) Purge copies from other mailboxes. (8) Educate affected users gently.
Ransomware first 10 minutes — (1) Isolate infected hosts from the network (not power off — preserves memory evidence). (2) Alert security/IR lead. (3) Preserve logs and disk images. (4) Disable affected user credentials. (5) Stop AD replication if domain admin compromise suspected (with seniors). (6) Check backups — offline copies, immutability, restore plan. (7) Do not pay without legal/exec approval. (8) Start comms log.
Never destroy evidence accidentally — Don’t wipe, don’t reinstall, don’t reboot unless required. Volatile memory, timeline artifacts, and attacker footprints are destroyed by well-meaning reboots. Isolate + preserve + notify is the mantra.
User is the first line of defense — Most phishing is stopped when a trained user reports a suspicious email. Make reporting easy (single button in Outlook/Teams). Celebrate reports; never shame users who got tricked.
EDR and AV — Endpoint Detection and Response tools (Defender for Endpoint, CrowdStrike, SentinelOne, etc.) detect and isolate. Classic AV is necessary but insufficient. Learn how to read an EDR alert timeline.
Comms discipline during an incident — Use a side channel (phones, out-of-band chat) if the main email/chat could be compromised. Nominate one spokesperson. Do NOT post details on social media or personal chats. Stick to facts, timestamps, and next steps.
After-action review — Within 1–2 weeks of the incident, write a post-incident review: timeline, what worked, what didn’t, actions to prevent recurrence. Blameless — the goal is learning, not punishment.

Code example

// Phishing 10-minute response checklist

[ ] Ticket open; user replied "I clicked / I did not click"
[ ] Capture email as .eml (or headers) from the user
[ ] Identify: sender, subject, display name spoof, URL, attachment
[ ] Query mail security (M365 Threat Explorer / gateway) for similar mails
[ ] Block sender domain + URL at gateway
[ ] Soft-delete (purge) copies from affected mailboxes
[ ] Reset credentials of anyone who entered them
[ ] Review Entra sign-in logs for the affected users
[ ] Check MFA registration events for unauthorized changes
[ ] Notify SOC / IT lead; document timeline
[ ] Send concise awareness note to the org
[ ] Thank the user who reported

// Ransomware 10-minute action

[ ] Isolate host(s) from network (disable switch port / NAC quarantine)
[ ] DO NOT power off — preserve RAM where possible
[ ] Engage security/IR senior and on-call lead
[ ] Disable affected user credentials; check privileged accounts
[ ] Start a dedicated side-channel (phone/out-of-band chat)
[ ] Freeze changes; notify execs / legal per policy
[ ] Verify backups exist, are offline/immutable, and recent
[ ] Start a timeline log (who did what, when)
[ ] Do NOT pay without legal/exec approval

Line-by-line walkthrough

1. Phishing checklist header
2. Ticket open and click state
3. Capture email evidence
4. Identify attack indicators
5. Search mail system for similar
6. Block sender and URL
7. Purge copies
8. Reset clicked users
9. Review sign-in logs
10. MFA registration review
11. Notify SOC
12. Send awareness note
13. Thank the reporter
14. Blank separator
15. Ransomware checklist header
16. Isolate host(s)
17. Preserve RAM
18. Engage IR senior
19. Disable user credentials
20. Side-channel comms
21. Freeze changes
22. Verify backups
23. Timeline log
24. No pay without approval

Spot the bug

Junior sees ransomware note on a server. They immediately power off the server to ‘stop the damage,’ then reinstall Windows.

Need a hint?

What forensic evidence and recovery options were destroyed?

Show answer

Powering off wipes RAM (losing attacker artifacts, keys in memory, active processes). Reinstalling destroys disk evidence and timeline. Correct: isolate from network while keeping machine powered on, preserve memory if trained/allowed, image disks, engage IR, check backup/restore path. Reinstallation happens only after preservation and analysis.

Explain like I'm 5

When someone reports a fake email or a hostage note on the screen, don’t panic and don’t tidy up. Unplug the machine’s network, tell a senior, save the evidence, and write down what happened — in that order.

Fun fact

In many post-mortems of major ransomware cases, the attackers had been inside the network for weeks — quietly. The ransom note is the end of a long attack, not the start. Detection depth matters more than reaction speed.

Hands-on challenge

Build a phishing response checklist as a one-page runbook. Include detection, containment, eradication, recovery, and communications steps — with specific owners and tool names. This is genuine interview gold.

More resources

Microsoft Defender for Office 365 anti-phishing (Microsoft Learn)
NIST SP 800-61r2 Incident Handling Guide (NIST)
CISA Ransomware Guide (CISA)

Open interactive version (quiz + challenge) ← Back to course: IT Jobs Bootcamp