Detection criteria (how you know this is a phishing incident) - Initial triage steps - Scope assessment (who else received the email?) - Containment actions (block sender, remove emails, disable compromised accounts) - Investigation steps (analyze email headers, attachments, URLs) - Recovery procedu