For Employees
Phishing Exposure Remediation Guide for Employees
Protecting your employees when a phishing attack succeeds.
For: Workforce Threat Protection, Endpoint Threat Protection, and Active Directory Guardian Customers
Overview
SpyCloud recaptures data from phishing kits and campaigns before it is used against the organizations it was stolen from. This guide covers how phishing exposure surfaces in SpyCloud products, how to interpret what you see, and the exact steps to take when an employee is affected.
This guide covers credential and email exposure from phishing sources as they appear today in SpyCloud Workforce Threat Protection, Endpoint Threat Protection, and Active Directory Guardian (ADG). AiTM session token capture and device code phishing token capture appear in SpyCloud's data; guidance on those specific record types will be added to this guide as those features reach general availability.
What SpyCloud Recaptures from Phishing
Not all phishing records carry the same risk. SpyCloud surfaces three distinct types of phishing captures, and the response for each is different.
1. Credential Capture (High severity)
A plaintext password was submitted to a phishing page and captured by the kit. This is the highest-risk finding. The attacker has a working credential.
- Severity in SpyCloud: High
- What it means: The employee entered their username and password on a spoofed login page. That credential is now in criminal hands.
- What to do: Credential reset plus full session revocation. Do not treat this as a password-only event. Modern phishing kits blend credential capture with session harvesting. Treat every High severity phishing record as a potential session compromise and revoke sessions as well as resetting credentials.
2. Phishing Target List Inclusion (Email Only severity)
The employee's email address was loaded into an active phishing kit as a target. Lure delivery is likely. Whether they clicked or submitted anything is not confirmed from this record alone.
- Severity in SpyCloud: Email Only
- What it means: A live campaign was actively targeting your domain. Other employees on the same list may have already been, or may soon be, compromised.
- What to do: Treat as advance warning. Alert the employee, warn the team, and watch for follow-on High severity records from the same phishing kit source.
3. Informational Phishing Data
Email address appeared in phishing-related data without confirmed credential capture. Typically from public exposure lists or email enumeration data.
- Severity in SpyCloud: Informational
- What it means: Lower immediate risk. No credential confirmed stolen.
- What to do: Log and monitor. No immediate remediation required.
How Phishing Exposure Surfaces in SpyCloud Products
SpyCloud Console (Workforce Threat Protection, Endpoint Threat Protection)
All phishing records appear in the Corporate tab of Identity Records, not a separate phishing section. This is where all non-malware records are classified today, regardless of severity.
You will also receive an email alert when new records are published for a monitored domain. The alert shows the domain and severity level. Log in to the console to see the individual records.
To find phishing records specifically, search keyword "phish" and filter by the severity tier you want to review.
To surface only High severity phishing records (confirmed credential captures), filter Severity to High and search "phish".
To surface target list inclusions (Email Only records), filter Severity to Email Only and search "phish".
Each record shows the Source Name (phishing kit name), Publish Date, Phished Time (when the phish occurred), the affected Email, and a masked Password field for High severity records. Clicking on a Source Name opens the breach details for that phishing kit.
SpyCloud Portal
In the portal, the same filtering applies: navigate to your domain's data, filter to High severity or Email Only severity, and search "phish" to isolate phishing records.
An additional capability in the portal: you can click the Source Name directly to see all email addresses captured from that specific phishing kit in a single view.
Active Directory Guardian (ADG)
ADG automates credential remediation when a High severity phishing record matches an employee identity in your Active Directory.
- ADG triggers a forced password reset automatically when a captured credential matches the employee's current Active Directory password.
- This requires a High severity record, meaning a plaintext password was captured and matches what is in AD.
- Email Only and Informational records do not trigger ADG automation.
ADG handles forced credential reset. Session revocation through your IdP (Entra ID, Okta) is a separate action and is performed manually in your IdP admin console. Instructions are in the remediation steps section below.
Severity Reference: What Each Level Means
| Severity Level | What It Means | What to Do |
|---|---|---|
| High | Plaintext password captured | Credential reset + session revocation immediately |
| Email Only | Email on phishing target list; no credential captured | Monitor for follow-on phishing; treat as advance warning |
| Informational | Email associated with informational-only data | Log and monitor; no immediate remediation required |
Remediation Steps: High Severity Phishing Record
When a High severity phishing record surfaces for an employee, execute these steps in order. Do not skip session revocation. Modern phishing kits increasingly blend credential capture with session harvesting, even when SpyCloud's data shows only a credential capture.
A credential reset alone is insufficient. Treat every High severity phishing record as a potential session compromise and revoke active sessions alongside resetting credentials.
| Step | Action | Details |
|---|---|---|
| 1 | Force credential reset | Reset the compromised employee's password immediately. ADG automates this for High severity records where the captured password matches Active Directory. |
| 2 | Revoke active sessions via your IdP | Sign in to your identity provider admin console (Microsoft Entra ID, Okta, or equivalent). Revoke all active sessions for the affected user. This is a manual action; your admin can execute it directly in the IdP console. |
| 3 | Audit MFA factors before re-enrollment | Before allowing the employee to re-enroll MFA, review all registered authentication factors. Remove any unrecognized factors or backup codes. Do not allow re-enrollment until this check is complete. |
| 4 | Audit OAuth app authorizations | In your IdP admin console, review all authorized OAuth applications for the affected account. Revoke any unrecognized third-party app grants. |
| 5 | Monitor for follow-on activity | Review sign-in logs for the affected account for any access from unusual locations, devices, or times in the window prior to detection. Extend this review to shared mailboxes or systems the employee had access to. |
Responding to a Phishing Target List Hit (Email Only)
An Email Only record means SpyCloud found your employee's address loaded into an active phishing kit. No credential has been confirmed stolen from this record; a live campaign was actively targeting your domain. Think of it as a heads-up.
- Notify the affected employee that their address was detected on an active phishing target list. Ask them to be alert for suspicious emails, particularly any that prompt them to log in or verify credentials.
- Check whether other employees are included in the same phishing kit. In the SpyCloud console, copy and search the Source Name from the record. This surfaces all addresses from the same kit and tells you the full scope of who is being targeted.
- Pass the affected addresses to IT or your email security team. Most email security platforms can apply additional scrutiny, filtering rules, or enhanced scanning to specific addresses. A named target list hit is exactly the kind of signal worth acting on at the inbox level.
- If even one employee's address surfaces on a phishing target list, treat it as a signal for phishing awareness outreach to all employees, not just the affected individual. A campaign targeting your domain is a campaign targeting everyone at it.
- Watch for High severity records from the same source in the following days. A target list hit often precedes a confirmed credential capture from the same campaign.
A target list hit is a leading indicator, not a false alarm. The same guidance and warnings you send employees about phishing still apply here, just with more urgency: a real campaign has specifically loaded your domain's addresses into an active kit.
Why Speed Matters: Time from Phish to Criminal Use
SpyCloud data shows how quickly compromised credentials from major phishing kits appear in criminal infrastructure after the phish occurs. For the leading kits SpyCloud monitors:
Time to Publish by Kit
- FlowerStorm PhaaS: captured credentials can appear in SpyCloud data as little as 110 minutes after the phish. 61% of records publish within 24 hours.
- Evilginx: as little as 112 minutes from phish to publish.
- Kratos 2FA: as little as 116 minutes. Nearly 6 in 10 records publish the same day.
- Skyw4lker PhaaS: as little as 116 minutes, with nearly half of records publishing the same day.
- Unknown Phishing Kits (aggregation of multiple sources across 16M+ phished records): as little as 96 minutes after compromise.
What This Means for Your Response
From the time a credential is stolen, you may have as little as 96 minutes before it appears in criminal infrastructure. The sooner SpyCloud surfaces the record and your team acts, the shorter the window of exposure.
Speed of response directly reduces the attacker's opportunity to use the credential before it is reset and sessions are revoked.
What Phishing Can Expose Beyond Credentials
A successful phish does not only expose usernames and passwords. Depending on what the phishing page was designed to harvest, a single capture can include:
Authentication Data
- Usernames and plaintext passwords
- Multi-factor authentication (MFA) codes entered on the spoofed page
- Security question answers
Financial & Personal Data
- Credit card numbers
- Social Security numbers and national ID numbers
- Bank account numbers
- Other personally identifiable information (PII) submitted during the fake flow
The Breach Details page for any phishing source shows the data types present in that capture. Review this when responding to a High severity record to understand the full scope of what may have been exposed.
For technical questions: submit a ticket from within your SpyCloud account, or contact your SpyCloud Customer Success Manager for guidance on your specific use case and response workflows.
Updated about 3 hours ago