I am looking for information to use for a project I am doing:

Does anyone have any experience or insight into how they would go about investigating a phishing incident? I am not referring to the normal spam sent to the general population with a link to a phishing site. I am referring to a targeted phishing attack, where an attacker sends an email to employees of a specific company and creates a spoofed web site- possibly mocking their internal intranet web site somehow- in order to trick employees into surrendering their usernames and passwords so the attacker can gain access to the company network for other malicious means.

Since this is hypothetical, I can't give you a solid answer on what the network looks like. Assume they have a firewall between them and the outside world. But, what flaws or vulnerabilities would need to exist for an attacker to spoof email to employees so that it appears to come from the company's own tech support? What flaws or vulnerabilities would need to exist for an attacker to spoof an intranet web site or convince users that their malicious web site was legitimate?

Lastly, after such an attack is discovered, what logs or applications would you review to perform a forensic investigation and trace the source of the attacks?