respond-phishing

Respond to a reported phishing email following PICERL methodology. Use when a phishing email is reported or detected. Analyzes artifacts, identifies recipients who clicked, contains malicious IOCs, and removes emails from mailboxes.

Install with Tessl CLI

npx tessl i github:dandye/ai-runbooks --skill respond-phishing

What are skills?

Review — 81%

Does it follow best practices?

If you maintain this skill, you can automatically optimize it using the tessl CLI to improve its score:

npx tessl skill review --optimize ./path/to/skill

Learn more

Validation — 10 / 11 Passed

Validation for skill structure

SKILL.md

Review

Evals

Phishing Incident Response Skill

Structured workflow for responding to reported phishing emails using the PICERL model.

Inputs

CASE_ID - SOAR case ID for the incident
ALERT_GROUP_IDENTIFIERS - Alert group identifiers from SOAR
REPORTED_EMAIL_ARTIFACTS - Information about the email:
- Email headers
- Email body
- Attached files (hashes)
- URLs in email
- Recipient user ID(s)
- Sender address/domain

Required Outputs

After completing each phase, you MUST report these outputs:

Identification Phase

Output	Description
`PHISHING_URLS`	URLs extracted from email body
`PHISHING_IOCS`	Confirmed malicious indicators (URLs, domains, hashes)
`AFFECTED_USERS`	All users who received the email
`CLICKED_USERS`	Users who clicked/interacted with malicious content
`PHISHING_CATEGORY`	Type: credential phish, spear phishing, BEC, malware delivery

Containment Phase

Output	Description
`BLOCKED_IOCS`	IOCs blocked at email gateway/proxy/firewall
`CONTAINED_USERS`	User accounts with restrictions applied
`ISOLATED_ENDPOINTS`	Endpoints isolated due to suspicious activity

Eradication Phase

Output	Description
`DELETED_EMAILS`	Count of malicious emails removed from mailboxes
`QUARANTINED_EMAILS`	Emails moved to quarantine

Recovery Phase

Output	Description
`RESTORED_ACCOUNTS`	User accounts restored to normal access
`USER_NOTIFICATIONS`	Users notified of incident and required actions

PICERL Phases

Phase 2: Identification

Step 2.1: Get Context & Check Duplicates

secops-soar.get_case_full_details(case_id=CASE_ID)

Use /check-duplicates.

Step 2.2: Analyze Email Artifacts

Extract from email:

All URLs → EXTRACTED_URLS
Sender domain/IP
Attachment hashes → EXTRACTED_HASHES
Reply-to addresses
Header anomalies (SPF/DKIM failures)

Step 2.3: Enrich Extracted IOCs

For each IOC (URLs, domains, IPs, hashes):

Use /enrich-ioc:

/enrich-ioc IOC_VALUE IOC_TYPE

Identify confirmed malicious IOCs → MALICIOUS_IOCs.

Step 2.4: Categorize Phishing Type

Category	Indicators
Generic Credential Phish	Broad targeting, brand impersonation (Microsoft, Google)
Spear Phishing	Personalized, targets specific individuals
Whaling	Targets executives
BEC	Wire transfer requests, no malicious links
Brand Impersonation	Mimics known brands
Malware Delivery	Focus on attachments or download links

Document: PHISHING_CATEGORY

Step 2.5: Search for Related Activity (SIEM)

secops-mcp.search_security_events(
    text="Network connections or DNS to MALICIOUS_IOCs",
    hours_back=72
)

Look for:

Other emails with same subject/sender
URL clicks to malicious URLs
File executions of malicious hashes
Suspicious activity from recipients

Step 2.6: Identify Impact

SIMILAR_EMAIL_RECIPIENTS - Who else received it
POTENTIAL_COMPROMISED_USERS - Who clicked/interacted
SUSPICIOUS_ENDPOINTS - Endpoints with related activity

Step 2.7: Document Identification

Use /document-in-case with findings.

Phase 3: Containment

Step 3.1: Block Network IOCs

For each IOC in MALICIOUS_IOCs:

Use /confirm-action:

"Block domain/IP/URL [VALUE]?"

If confirmed, implement blocks at:

Email gateway
Web proxy
Firewall
DNS

Step 3.2: Contain Potentially Compromised Users

For each user in POTENTIAL_COMPROMISED_USERS:

Trigger /respond-compromised-account

Step 3.3: Isolate Suspicious Endpoints

For each endpoint in SUSPICIOUS_ENDPOINTS:

Use /confirm-action:

"Isolate endpoint [HOSTNAME]?"

Step 3.4: Verify Containment

Monitor for continued activity to blocked IOCs.

Use /document-in-case with containment status.

Phase 4: Eradication

Step 4.1: Delete Malicious Emails

(Requires Email Gateway/Platform tools)

Search all mailboxes for:

Same subject line
Same sender
Contains malicious URLs/attachments

Delete/quarantine identified emails. Document count of emails removed.

Step 4.2: Address Malware (If Applicable)

If phishing led to malware execution: → Trigger /respond-malware

Step 4.3: Document Eradication

Use /document-in-case with email deletion counts and actions.

Phase 5: Recovery

Step 5.1: User Account Recovery

If accounts disabled during containment:

Verify threat is removed
Re-enable accounts
Force password change if credentials potentially compromised

Step 5.2: Endpoint Recovery

If endpoints isolated:

Verify clean before reconnecting
Follow malware response recovery if infected

Step 5.3: Validate Countermeasures

After lifting blocks, verify legitimate traffic isn't blocked.

Step 5.4: User Communication

Notify affected users:

What happened
Actions taken
What they should do (change passwords, be vigilant)

Phase 6: Lessons Learned

Use /generate-report with:

Phishing category
Impact assessment
Response timeline
Emails deleted count
Recommendations

Conduct review:

How did it bypass email filters?
Detection effectiveness
User awareness gaps
Recommended filter/rule updates

Critical Warnings

DO check who else received the email
DO NOT leave malicious emails in mailboxes
DO NOT block legitimate business domains (verify first)
VERIFY extracted domains against company-owned domains list

Phishing Response Checklist

Repository: dandye/ai-runbooks
Commit: 67a00be
Last updated: 14 days ago
Created: 14 days ago

Is this your skill?

If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.