Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email incident, credential phishing, spear phishing investigation, or phishing remediation.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionconducting-phishing-incident-responseExecute the skills CLI command in your project's root directory to begin installation:
Fetches conducting-phishing-incident-response from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate conducting-phishing-incident-response. Access via /conducting-phishing-incident-response in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | conducting-phishing-incident-response |
| description | 'Responds to phishing incidents by analyzing reported emails, extracting indicators, assessing credential compromise, quarantining malicious messages across the organization, and remediating affected accounts. Covers email header analysis, URL/attachment sandboxing, and mailbox-wide purge operations. Activates for requests involving phishing response, email incident, credential phishing, spear phishing investigation, or phishing remediation. ' |
| domain | cybersecurity |
| subdomain | incident-response |
| tags | - phishing-response - email-security - credential-compromise - email-header-analysis - mailbox-remediation |
| mitre_attack | - T1566 - T1204 - T1534 - T1598 |
| version | 1.0.0 |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01 |
Do not use for business email compromise (BEC) involving compromised internal accounts; use BEC response procedures which focus on account takeover investigation.
Evaluate the reported email to determine if it is malicious:
Email Header Analysis Checklist:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Return-Path: billing@spoofed-domain[.]com
From: "IT Support" <support@corp-lookalike[.]com>
Reply-To: attacker@gmail[.]com (different from From)
SPF: FAIL (sender IP not authorized for domain)
DKIM: FAIL (signature invalid)
DMARC: FAIL (policy: none - no enforcement)
Received: from mail.attacker-infra[.]net [45.33.x.x]
X-Originating-IP: 45.33.x.x
Message-ID: <[email protected]>
Classification criteria:
Examine URLs and attachments in a safe environment:
URL Analysis:
Attachment Analysis:
Identify all recipients and assess who interacted with the phishing email:
Scope Assessment:
━━━━━━━━━━━━━━━━
Total Recipients: 47 users
Delivered to Inbox: 38 users (9 caught by email gateway)
Opened Email: 24 users (email tracking pixel data)
Clicked Link: 8 users (proxy/firewall logs)
Entered Credentials: 3 users (phishing page submitted form data)
Opened Attachment: 2 users (EDR process execution telemetry)
Search methods:
Execute containment actions based on impact assessment:
Email Containment:
Account Containment (for users who entered credentials):
# Microsoft 365: Revoke sessions and reset password
Connect-AzureAD
Revoke-AzureADUserAllRefreshToken -ObjectId "[email protected]"
Set-AzureADUserPassword -ObjectId "[email protected]" -ForceChangePasswordNextLogin $true
# Check for mailbox forwarding rules
Get-InboxRule -Mailbox "[email protected]" | Where-Object {$_.ForwardTo -or $_.RedirectTo}
# Remove suspicious forwarding rules
Remove-InboxRule -Mailbox "[email protected]" -Identity "Rule Name"
Remove all traces of the phishing attack:
Strengthen defenses against similar phishing attacks:
| Term | Definition |
|---|---|
| Spear Phishing | Targeted phishing attack crafted for a specific individual or organization using personalized content |
| Credential Harvesting | Phishing technique that mimics a legitimate login page to capture usernames and passwords |
| SPF (Sender Policy Framework) | Email authentication protocol that specifies which mail servers are authorized to send email for a domain |
| DKIM (DomainKeys Identified Mail) | Email authentication method using cryptographic signatures to verify that an email was not altered in transit |
| DMARC | Policy framework that uses SPF and DKIM to determine email authenticity and instructs receivers on handling failures |
| OAuth Consent Phishing | Attack that tricks users into granting malicious OAuth applications access to their email and data |
| Email Header | Metadata embedded in every email containing routing, authentication, and sender information used for forensic analysis |
Context: Users report an email claiming to be from IT requiring MFA re-enrollment. The email contains a QR code that links to a convincing Microsoft 365 login page clone hosted on a compromised WordPress site.
Approach:
Pitfalls:
PHISHING INCIDENT RESPONSE REPORT
===================================
Incident: INC-2025-1602
Date Reported: 2025-11-16T09:15:00Z
Reported By: [email protected]
Classification: Credential Phishing (AiTM)
EMAIL ANALYSIS
Subject: "Action Required: MFA Re-enrollment"
Sender: it-support@corp-security[.]com (spoofed)
SPF: FAIL | DKIM: FAIL | DMARC: FAIL
Phishing URL: hxxps://compromised-site[.]com/ms365/login
Phishing Type: Microsoft 365 AiTM credential harvester
IMPACT ASSESSMENT
Recipients: 47
Clicked Link: 8
Credentials Entered: 3 (confirmed via proxy POST data)
CONTAINMENT ACTIONS
[x] Email purged from all 47 mailboxes
[x] Phishing domain blocked at web proxy
[x] Sender domain blocked at email gateway
[x] 3 compromised accounts: passwords reset, sessions revoked
[x] Mailbox forwarding rules reviewed (1 malicious rule removed)
[x] OAuth app grants reviewed (no unauthorized grants found)
IOCs EXTRACTED
Domain: corp-security[.]com
URL: hxxps://compromised-site[.]com/ms365/login
IP: 104.21.x.x (Cloudflare-hosted)
Sender: it-support@corp-security[.]com
RECOMMENDATIONS
1. Implement DMARC enforcement (p=reject) for corp domain
2. Deploy QR code scanning in email gateway
3. Send targeted awareness notification to all 47 recipients
4. Request domain takedown via registrar abuse contact
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
I recommend conducting-phishing-incident-response for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
conducting-phishing-incident-response reduced setup friction for our internal harness; good balance of opinion and flexibility.
conducting-phishing-incident-response has been reliable in day-to-day use. Documentation quality is above average for community skills.
We added conducting-phishing-incident-response from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
I recommend conducting-phishing-incident-response for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
Registry listing for conducting-phishing-incident-response matched our evaluation — installs cleanly and behaves as described in the markdown.
conducting-phishing-incident-response fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Solid pick for teams standardizing on skills: conducting-phishing-incident-response is focused, and the summary matches what you get after install.
We added conducting-phishing-incident-response from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.
Registry listing for conducting-phishing-incident-response matched our evaluation — installs cleanly and behaves as described in the markdown.
showing 1-10 of 72