Phishing Exposure Remediation Guides
What to do when phishing data surfaces your users' credentials — response guides for two audiences.
About These Guides
Phishing kits don't just steal passwords. Depending on the kit, a single capture can yield credentials, session cookies, MFA codes, and PII — and SpyCloud recaptures that data from criminal infrastructure, often within minutes of the phish event.
These guides translate SpyCloud phishing signals into specific response actions. Choose the guide that matches your audience and use case.
Choose Your Guide
What These Guides Have in Common
Both guides are built around the same underlying signal: SpyCloud's recapture of phishing kit output from criminal infrastructure. Whether the exposed user is a customer or an employee, the same core principles apply.
| Signal | Severity | What It Means | Required Response |
|---|---|---|---|
| Credential capture | 20+ (High) | Plaintext password in criminal hands | Immediate reset + session revocation |
| Phishing target list | 5 (Email Only) | User targeted; phish may not have landed yet | Elevated monitoring + optional advance notification |
Scope Note: Thebreach_categoryandbreach_titlefields that identify phishing-sourced records are available on records from 2026 onward. Historical records pre-2026 do not yet carry these fields. Searching and filtering by these fields is on the product roadmap.
Related Reading
- AiTM: The Complete Guide — how adversary-in-the-middle kits bypass MFA and steal session cookies in real time
- Threat Data Guide — SpyCloud's four data types (breach, malware, phishing, combolist) and the recommended response for each
- Communicating with Exposed Users — best practices for user notification language and timing
💬 Questions? Contact your SpyCloud Customer Success Manager or log in to submit a support ticket.
Updated about 3 hours ago