Stopping my First Phishing Campaign
I recently had the chance to act before things got away from me which left me feeling accomplished and confirmed my love for blue team operations, triaging events, and information security.
It was a normal day in the office: configuring switches, checking logs, and monitoring network health. I decided to take a lunch break and head to my favorite deli for a good meal and a scroll through my phone... but that was cut short when a flurry of notifications hit my work cell.
It’s summer break, so things slow down substantially. A lot of staff don’t even check their email regularly. But today, luckily, several people did — and started marking a specific email as phishing. When the first few alerts from Google Workspace came in, I decided to cut lunch short and head back to the office.
I jumped into my investigation tools and located the flagged email. My search pulled nearly 600 hits. The emails came from another educational domain — which is why they bypassed Google’s built-in protections and appeared legitimate. The subject line impersonated our superintendent, asking users to click a fake Google Forms link.
I pulled the emails from inboxes and started investigating who clicked the link. Then I began resetting their sign-on cookies. Unfortunately, a good handful of people clicked through… ugh. But I was ahead of the curve. I knew session hijacking was a risk — even if I don’t fully understand every technical detail of how that’s done, I know it’s possible.
I think I acted just in time. Right after resetting cookies, I received an alert from our IdP provider about a failed Duo authentication attempt — tied to one of the users who had clicked the phishing link. That confirmed my suspicion. I reached out to everyone on the list, confirmed password resets, and thankfully none of them had entered credentials (according to them, anyway).
I reported the phishing source to the sending EDU domain’s IT team (though I’m sure they were already aware) and logged everything in my phishing campaign tracker — a glorified spreadsheet, but it works.
In the end, everything settled. No breach. Just a close call.
It was a solid lesson in acting fast before damage is done. If I’d waited even a little longer — or skipped resetting those cookies — someone might’ve slipped in unnoticed. Credentials were secured, users were educated, and I felt good knowing I made the right call.
These moments are great teaching opportunities. Threat actors don’t need much — just one mistake, one click. Helping users slow down and spot the signs of phishing helps protect all of us.
I felt good about stopping this one… even if they’re going to try again in a few weeks.
I’ll be ready.