* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Playbook of the Week](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/) * Playbook Of The Week - Ne... # Playbook Of The Week - New Features for Better Response to Phishing Campaigns [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-new-features-for-better-response-to-phishing-campaigns%2F) [](https://twitter.com/share?text=Playbook+Of+The+Week+-+New+Features+for+Better+Response+to+Phishing+Campaigns&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-new-features-for-better-response-to-phishing-campaigns%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-new-features-for-better-response-to-phishing-campaigns%2F&title=Playbook+Of+The+Week+-+New+Features+for+Better+Response+to+Phishing+Campaigns&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-new-features-for-better-response-to-phishing-campaigns/&ts=markdown) \[\](mailto:?subject=Playbook Of The Week - New Features for Better Response to Phishing Campaigns) Link copied By [Arik Day](https://www.paloaltonetworks.com/blog/author/arik-day/?ts=markdown "Posts by Arik Day") Aug 17, 2023 5 minutes [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [Incident Response](https://www.paloaltonetworks.com/blog/tag/incident-response/?ts=markdown) [Phishing](https://www.paloaltonetworks.com/blog/tag/phishing/?ts=markdown) [security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown) **Introduction** Phishing emails are one of the most frequent, easily executable, and harmful security attacks that organizations, regardless of size, face today. High-volume, persistent phishing alerts are a time sink for the security team, with incident response requiring coordination between multiple security products and communications with end users. Phishing is involved in almost 40% of security incidents, according to the [2022 Unit 42 Incident Response Threat Report](https://www.paloaltonetworks.com/unit42/2022-incident-response-report). *"Attackers are looking for easy ways in. Phishing is a low-cost method with high results for attackers."* **Phishing Content Pack - New 2023 Features** The [Phishing content pack](https://cortex.marketplace.pan.dev/marketplace/details/Phishing/) is the main pack for all phishing purposes. If you need to respond to phishing incidents based on user reports, this is the content pack for you. With this content pack, you can significantly reduce the time your security analysts spend on phishing alerts and standardize the way you manage phishing incidents. We've added new features to our most popular Cortex Marketplace content pack to help you better respond to phishing campaigns in 2023. ### **Phishing - Generic v3 Playbook** **Semi-Automated Remediation** When detecting phishing attempts, immediate action is essential to mitigate potential harm. By blocking indicators associated with the phishing attempt, we limit the attackers' ability to execute their malicious operations successfully and prevent further spread of the phishing campaign. However, automatically blocking indicators runs the risk of inadvertently blocking legitimate indicators, thereby potentially disrupting the organization's regular activities and workflow. By setting the "AutoBlockIndicators" playbook input to "false" (the default value) and using the enhanced version of the [Block Indicators - Generic v3](https://xsoar.pan.dev/docs/reference/playbooks/block-indicators---generic-v3) playbook available in the Cortex Marketplace, the analyst can choose the indicators that will be blocked automatically. Once the phishing incident is classified as malicious, the playbook will stop at a data collection task that asks the analyst to select the indicators to block. ![Fig 1: Block Indicators Data Collection Task](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-1.png) Fig 1: Block Indicators Data Collection Task ![Fig 2: The analyst can multi-select indicators to block](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-2.png) Fig 2: The analyst can multi-select indicators to block **Threat Intelligence Analysis** Cybersecurity threat intelligence provides valuable insights into the latest and emerging threats, attack techniques, and malicious actors. By staying informed about evolving cyberthreats, investigators can better comprehend the tactics, techniques, and procedures used by attackers, enabling them to respond more effectively to incidents. The "[TIM - Indicator Relationships Analysis'](https://xsoar.pan.dev/docs/reference/playbooks/tim---indicator-relationships-analysis)' playbook aims to identify connections between indicators of compromise (IOCs) and reported campaigns sourced from feeds linked to Cortex XSOAR Threat Intelligence Management (TIM). When phishing incident-related IOCs are associated with a particular campaign, this information will be presented in the phishing incident layout within the "Investigation" tab of the incident. ![Fig 3: Threat Intelligence analysis section](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-3.png) Fig 3: Threat Intelligence analysis section ![Fig 4: Results will be displayed in the layout](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-4.png) Fig 4: Results will be displayed in the layout **Spear Phishing - Keywords Analysis** Phishing attacks have become increasingly sophisticated, with cybercriminals customizing their tactics to target specific organizations. This tailored approach, known as spear phishing, poses a significant threat to businesses and individuals alike. According to the [Recent Trends in Internet Threats](https://unit42.paloaltonetworks.com/internet-threats-late-2022/) report by Unit 42, we observed an increase in phishing attacks disguising themselves as online document and storage platforms in Q3 and Q4 2022, up from 27.8% to over 38.1% in Q2. During the same time period, fake online shopping and marketplace sites became more popular as sources of phishing campaigns. Using the "[Spear Phishing Investigation](https://xsoar.pan.dev/docs/reference/playbooks/spear-phishing-investigation)" sub-playbook, analysts can select a list of keywords associated with the organization, like names of stakeholders or systems and applications that are being used, and detect whether they exist in the phishing mail content. The keywords can be provided via the playbook input "KeyWordsToSearch" as a comma-separated list or as XSOAR list object. ![Fig 5: KeyWords analysis input](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-5.png) Fig 5: KeyWords analysis input When a keyword is found in the email body, it will be displayed in the layout "Investigation" tab in a tag field, under the "Spear Phishing Investigation" section. Since it's a tag type field, the analyst can search and filter incidents and identify phishing mails containing the same keywords. ![Fig 6: Phishing Email Example](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-6.png) Fig 6: Phishing Email Example ![Fig 7: Keywords found in the phishing mail](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-7.png) Fig 7: Keywords found in the phishing mail ![Fig 8: Search Incidents by keywords](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-8.png) Fig 8: Search Incidents by keywords **Determine phishing mail sender verdict as malicious** Once a phishing incident verdict is determined as malicious, the email sender address verdict will be set as malicious as well. When the Cortex XSOAR TIM module classifies the sender's email address in a phishing email as malicious, it triggers the marking of that email address as malicious in any subsequent phishing incidents linked to it. This ensures that analysts and playbooks will consider this classification when making their final determination about the incident verdict. ![Fig 9: Setting the phishing mail sender address as malicious](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-9.png) Fig 9: Setting the phishing mail sender address as malicious ![Fig 10: Phishing mail sender address verdict set as malicious](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/08/word-image-302566-10.png) Fig 10: Phishing mail sender address verdict set as malicious **Conclusion** These enhancements to our Cortex phishing playbooks represent a significant leap forward in the battle against phishing attempts. With powerful automation, intelligent analysis, and a seamless integration into threat intelligence data, security teams can now bolster their defenses and respond with unparalleled speed and accuracy. *** ** * ** *** ## Related Blogs ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automate Anything with the Default Playbook](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automate-anything-with-the-default-playbook/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Speed Up Phishing Response with the Cortex XSOAR Deployment Wizard](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-speed-up-phishing-response-with-the-cortex-xsoar-deployment-wizard/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the week: Uncover Your RDP Secrets](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-uncover-your-rdp-secrets/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Playbook of the Week: Cloud Token Theft Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-cloud-token-theft-response/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook Of The Week - Fending Off Living Off the Land Attacks](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-fending-off-living-off-the-land-attacks/) [#### Playbook of the Week: Microsoft Office and Windows HTML RCE CVE-2023-36884 Rapid Response](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-microsoft-office-and-windows-html-rce-cve-2023-36884-rapid-response/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language