// phishing investigation

Phishing Email Investigation

Step-by-step workflow to analyze suspicious emails, verify sender authenticity, identify phishing indicators, and document your findings for incident response.

// email analyser

Phishing Email Analyser

Paste raw email content for instant client-side triage. No server processing, no AI required.

Processed entirely in your browser. Nothing is sent to our servers.

Prefer the manual workflow? Follow the step-by-step investigation below.

  • Suspicious email reported by a user
  • Email authentication failures detected
  • Potential spear-phishing attempt
[01]

Header & Authentication Analysis

You are a SOC analyst investigating a suspicious email. I will paste the full email headers below. Analyze the following: 1. Originating IP address — is it consistent with the claimed sender domain? 2. SPF result — pass, fail, or softfail? 3. DKIM result — pass or fail? Which domain signed it? 4. DMARC result — pass or fail? 5. From display name vs actual email address — do they match? 6. Reply-To address — does it differ from the From address? 7. Routing hops — are there any unusual or unexpected mail servers in the path? 8. Mail client or sending infrastructure — what was used to send this? Present findings as a structured table. Flag any authentication failures or mismatches in bold. Conclude with: Authentication Risk Level — Low / Medium / High IMPORTANT: Paste full headers, not just the email body. Headers contain ~40% more useful forensic data. [PASTE FULL EMAIL HEADERS HERE]
[02]

Body & Social Engineering Analysis

Based on the email body below, perform a social engineering analysis. First analyze patterns, then produce findings. Identify: 1. Urgency or fear language — list exact phrases used 2. Who is being impersonated — sender, brand, or authority figure 3. What action the email wants the recipient to take 4. Any grammar, spelling, or formatting anomalies that indicate non-native writing or automation 5. Spear-phishing indicators — does this email reference personal details, job role, or company-specific information? 6. Pretexting — what false scenario is being constructed? Rate the sophistication level: Low / Medium / High Explain your rating in 2-3 sentences. [PASTE EMAIL BODY HERE]
[03]

IOC Extraction

Extract all Indicators of Compromise from the email headers and body analyzed in Steps 1 and 2. Organize by category: IP ADDRESSES - List all IPs found in headers with their role (sending server, relay, etc.) DOMAINS - List all domains found - Flag any that use typosquatting, lookalike spelling, or unusual TLDs - Note any legitimate services being abused (e.g. Google Drive, Dropbox links used for payload delivery) URLS - List all full URLs found in the email body - Flag any URL shorteners or redirect chains EMAIL ADDRESSES - Sender, Reply-To, and any addresses mentioned in the body FILE NAMES OR HASHES - Any attachments referenced or included For each IOC note: Type, Value, Suspicious Indicator (why it is flagged) Format as a table.
[04]

SOC Triage Report

Generate a final phishing investigation report based on all previous steps. Use this exact structure: VERDICT: [Phishing / Likely Phishing / Suspicious / Benign] CONFIDENCE: [High / Medium / Low] ATTACK TYPE: [Credential Harvest / Malware Delivery / BEC / Spear Phishing / Other] TARGET: [Individual / Department / Organization-wide] KEY EVIDENCE - Authentication failures: [list] - Social engineering techniques: [list] - Suspicious IOCs: [list] FULL IOC LIST [Copy from Step 3 output] RECOMMENDED ACTIONS Immediate: - [e.g. Block sender domain at email gateway] - [e.g. Search mail logs for other recipients of this campaign] Investigative: - [e.g. Check if any recipients clicked the link] - [e.g. Pull proxy logs for destination domain] User-Facing: - [e.g. Notify recipient, advise password reset if credentials were entered] - [e.g. Send awareness alert to broader team if campaign is widespread]

Example Output

Here's what you can expect after completing this workflow:

PHISHING INVESTIGATION REPORT ============================== Report ID: PHI-2024-0142 Analyst: SOC Team Date: 2024-01-15 16:45:00 UTC INCIDENT SUMMARY ================ Subject: "Urgent: Verify Your Account - Action Required Within 24 Hours" Sender Display Name: Microsoft Security Team Sender Email: security-noreply@microsoft-account-verify.com Reported By: jane.doe@company.com Date Received: 2024-01-15 09:23:15 UTC Recipients: 47 users in organization Initial Verdict: CONFIRMED PHISHING PHISHING INDICATORS IDENTIFIED =============================== ✓ Header Spoofing: PRESENT - From address does not match Microsoft domains ✓ Domain Impersonation: PRESENT - Typosquatting (microsoft-account-verify.com) ✓ URL Manipulation: PRESENT - Hidden redirect URLs detected ✗ Malicious Attachments: NOT PRESENT ✓ Social Engineering: PRESENT - Urgency tactics and fear-based messaging ✓ Authentication Failures: PRESENT - SPF FAIL, DMARC FAIL ✓ Poor Grammar: NOT PRESENT - Well-written (sophisticated phishing) TECHNICAL ANALYSIS SUMMARY ========================== Email Authentication: - SPF: FAIL (sender not authorized by microsoft.com) - DKIM: NONE (no signature present) - DMARC: FAIL (policy=reject, but email delivered due to filter bypass) - Return-Path: bounces@185.220.101.45 Sender Reputation: - Domain Age: 3 days (registered 2024-01-12) - IP Address: 185.220.101.45 (Netherlands) - IP Reputation: MALICIOUS (listed on 4 blocklists) - Trust Score: 5/100 (Highly Suspicious) URL Analysis: Primary URL: hxxps://microsoft-account-verify[.]com/signin/verify?token=abc123 - Actual Destination: hxxp://185.220.101.67/harvest/ms.php - Domain Reputation: MALICIOUS (newly registered, typosquatting) - Redirects through: bit[.]ly/3xK9mN (URL shortener for obfuscation) - Purpose: Credential harvesting page Confidence Level: HIGH (99% certain this is malicious phishing) INDICATORS OF COMPROMISE (IOCs) ================================ Malicious Domains: - microsoft-account-verify[.]com - account-security-verify[.]com (redirect chain) IP Addresses to Block: - 185.220.101.45 (sending server) - 185.220.101.67 (phishing page host) Sender Addresses: - security-noreply@microsoft-account-verify[.]com - no-reply@account-security-verify[.]com URL Patterns: - hxxps://microsoft-account-verify[.]com/* - hxxp://185.220.101.67/* USER IMPACT ASSESSMENT ======================= Delivered to: 47 users Opened by: 12 users (confirmed via email tracking) Clicked Link: 3 users (jane.doe@, john.smith@, alice.johnson@) Submitted Credentials: UNKNOWN (requires investigation) Potential Impact: CRITICAL - Possible credential compromise RECOMMENDED ACTIONS =================== IMMEDIATE (Complete within 1 hour): 1. Force password reset for 3 users who clicked the link 2. Enable MFA on affected accounts if not already active 3. Delete all instances of this email from all mailboxes 4. Block sender domain and IPs at email gateway 5. Block malicious URLs at web proxy/firewall 6. Monitor affected users' accounts for suspicious activity INVESTIGATION (Complete within 24 hours): 1. Review authentication logs for affected users (past 48 hours) 2. Check for successful logins from unusual locations/IPs 3. Scan affected users' devices for malware 4. Search email logs for similar campaigns (same IPs/patterns) 5. Interview users who clicked to determine if credentials were entered PREVENTIVE (Complete within 1 week): 1. Implement stricter DMARC enforcement policy 2. Update email security rules to flag new domains (<30 days) 3. Deploy user awareness training on Microsoft impersonation 4. Configure advanced threat protection for URL rewriting 5. Create custom detection rules for similar campaigns INCIDENT CLASSIFICATION ======================== MITRE ATT&CK Techniques: - T1566.002: Phishing - Spear Phishing Link - T1598.003: Phishing for Information - Spear Phishing Link - T1078: Valid Accounts (if credentials compromised) Incident Severity: HIGH Requires Escalation: YES Escalate To: Security Manager, IT Leadership Estimated Impact: Potential compromise of 3 user accounts, possible lateral movement if credentials harvested NEXT STEPS ========== 1. Monitor affected accounts for 30 days 2. File abuse report with domain registrar 3. Report to Anti-Phishing Working Group (APWG) 4. Update threat intelligence feeds with IOCs 5. Document lessons learned for future prevention

Generate SOC Investigation Summary

Populate a ready-to-paste investigation report for your ticket or incident log.

Copied!

Get new workflows in your inbox

Stay updated when new SOC workflows drop. No spam, unsubscribe anytime.