Step-by-step workflow to analyze suspicious emails, verify sender authenticity, identify phishing indicators, and document your findings for incident response.
You are a SOC analyst investigating a suspicious email. I will paste the full email headers below.
Analyze the following:
1. Originating IP address — is it consistent with the claimed sender domain?
2. SPF result — pass, fail, or softfail?
3. DKIM result — pass or fail? Which domain signed it?
4. DMARC result — pass or fail?
5. From display name vs actual email address — do they match?
6. Reply-To address — does it differ from the From address?
7. Routing hops — are there any unusual or unexpected mail servers in the path?
8. Mail client or sending infrastructure — what was used to send this?
Present findings as a structured table.
Flag any authentication failures or mismatches in bold.
Conclude with: Authentication Risk Level — Low / Medium / High
IMPORTANT: Paste full headers, not just the email body. Headers contain ~40% more useful forensic data.
[PASTE FULL EMAIL HEADERS HERE]
2
Body & Social Engineering Analysis
▶
Based on the email body below, perform a social engineering analysis.
First analyze patterns, then produce findings.
Identify:
1. Urgency or fear language — list exact phrases used
2. Who is being impersonated — sender, brand, or authority figure
3. What action the email wants the recipient to take
4. Any grammar, spelling, or formatting anomalies that indicate non-native writing or automation
5. Spear-phishing indicators — does this email reference personal details, job role, or company-specific information?
6. Pretexting — what false scenario is being constructed?
Rate the sophistication level: Low / Medium / High
Explain your rating in 2-3 sentences.
[PASTE EMAIL BODY HERE]
3
IOC Extraction
▶
Extract all Indicators of Compromise from the email headers and body analyzed in Steps 1 and 2.
Organize by category:
IP ADDRESSES
- List all IPs found in headers with their role (sending server, relay, etc.)
DOMAINS
- List all domains found
- Flag any that use typosquatting, lookalike spelling, or unusual TLDs
- Note any legitimate services being abused (e.g. Google Drive, Dropbox links used for payload delivery)
URLS
- List all full URLs found in the email body
- Flag any URL shorteners or redirect chains
EMAIL ADDRESSES
- Sender, Reply-To, and any addresses mentioned in the body
FILE NAMES OR HASHES
- Any attachments referenced or included
For each IOC note: Type, Value, Suspicious Indicator (why it is flagged)
Format as a table.
4
SOC Triage Report
▶
Generate a final phishing investigation report based on all previous steps.
Use this exact structure:
VERDICT: [Phishing / Likely Phishing / Suspicious / Benign]
CONFIDENCE: [High / Medium / Low]
ATTACK TYPE: [Credential Harvest / Malware Delivery / BEC / Spear Phishing / Other]
TARGET: [Individual / Department / Organization-wide]
KEY EVIDENCE
- Authentication failures: [list]
- Social engineering techniques: [list]
- Suspicious IOCs: [list]
FULL IOC LIST
[Copy from Step 3 output]
RECOMMENDED ACTIONS
Immediate:
- [e.g. Block sender domain at email gateway]
- [e.g. Search mail logs for other recipients of this campaign]
Investigative:
- [e.g. Check if any recipients clicked the link]
- [e.g. Pull proxy logs for destination domain]
User-Facing:
- [e.g. Notify recipient, advise password reset if credentials were entered]
- [e.g. Send awareness alert to broader team if campaign is widespread]
Example Output
Here's what you can expect after completing this workflow:
PHISHING INVESTIGATION REPORT
==============================
Report ID: PHI-2024-0142
Analyst: SOC Team
Date: 2024-01-15 16:45:00 UTC
INCIDENT SUMMARY
================
Subject: "Urgent: Verify Your Account - Action Required Within 24 Hours"
Sender Display Name: Microsoft Security Team
Sender Email: security-noreply@microsoft-account-verify.com
Reported By: jane.doe@company.com
Date Received: 2024-01-15 09:23:15 UTC
Recipients: 47 users in organization
Initial Verdict: CONFIRMED PHISHING
PHISHING INDICATORS IDENTIFIED
===============================
✓ Header Spoofing: PRESENT - From address does not match Microsoft domains
✓ Domain Impersonation: PRESENT - Typosquatting (microsoft-account-verify.com)
✓ URL Manipulation: PRESENT - Hidden redirect URLs detected
✗ Malicious Attachments: NOT PRESENT
✓ Social Engineering: PRESENT - Urgency tactics and fear-based messaging
✓ Authentication Failures: PRESENT - SPF FAIL, DMARC FAIL
✓ Poor Grammar: NOT PRESENT - Well-written (sophisticated phishing)
TECHNICAL ANALYSIS SUMMARY
==========================
Email Authentication:
- SPF: FAIL (sender not authorized by microsoft.com)
- DKIM: NONE (no signature present)
- DMARC: FAIL (policy=reject, but email delivered due to filter bypass)
- Return-Path: bounces@185.220.101.45
Sender Reputation:
- Domain Age: 3 days (registered 2024-01-12)
- IP Address: 185.220.101.45 (Netherlands)
- IP Reputation: MALICIOUS (listed on 4 blocklists)
- Trust Score: 5/100 (Highly Suspicious)
URL Analysis:
Primary URL: hxxps://microsoft-account-verify[.]com/signin/verify?token=abc123
- Actual Destination: hxxp://185.220.101.67/harvest/ms.php
- Domain Reputation: MALICIOUS (newly registered, typosquatting)
- Redirects through: bit[.]ly/3xK9mN (URL shortener for obfuscation)
- Purpose: Credential harvesting page
Confidence Level: HIGH (99% certain this is malicious phishing)
INDICATORS OF COMPROMISE (IOCs)
================================
Malicious Domains:
- microsoft-account-verify[.]com
- account-security-verify[.]com (redirect chain)
IP Addresses to Block:
- 185.220.101.45 (sending server)
- 185.220.101.67 (phishing page host)
Sender Addresses:
- security-noreply@microsoft-account-verify[.]com
- no-reply@account-security-verify[.]com
URL Patterns:
- hxxps://microsoft-account-verify[.]com/*
- hxxp://185.220.101.67/*
USER IMPACT ASSESSMENT
=======================
Delivered to: 47 users
Opened by: 12 users (confirmed via email tracking)
Clicked Link: 3 users (jane.doe@, john.smith@, alice.johnson@)
Submitted Credentials: UNKNOWN (requires investigation)
Potential Impact: CRITICAL - Possible credential compromise
RECOMMENDED ACTIONS
===================
IMMEDIATE (Complete within 1 hour):
1. Force password reset for 3 users who clicked the link
2. Enable MFA on affected accounts if not already active
3. Delete all instances of this email from all mailboxes
4. Block sender domain and IPs at email gateway
5. Block malicious URLs at web proxy/firewall
6. Monitor affected users' accounts for suspicious activity
INVESTIGATION (Complete within 24 hours):
1. Review authentication logs for affected users (past 48 hours)
2. Check for successful logins from unusual locations/IPs
3. Scan affected users' devices for malware
4. Search email logs for similar campaigns (same IPs/patterns)
5. Interview users who clicked to determine if credentials were entered
PREVENTIVE (Complete within 1 week):
1. Implement stricter DMARC enforcement policy
2. Update email security rules to flag new domains (<30 days)
3. Deploy user awareness training on Microsoft impersonation
4. Configure advanced threat protection for URL rewriting
5. Create custom detection rules for similar campaigns
INCIDENT CLASSIFICATION
========================
MITRE ATT&CK Techniques:
- T1566.002: Phishing - Spear Phishing Link
- T1598.003: Phishing for Information - Spear Phishing Link
- T1078: Valid Accounts (if credentials compromised)
Incident Severity: HIGH
Requires Escalation: YES
Escalate To: Security Manager, IT Leadership
Estimated Impact: Potential compromise of 3 user accounts, possible lateral
movement if credentials harvested
NEXT STEPS
==========
1. Monitor affected accounts for 30 days
2. File abuse report with domain registrar
3. Report to Anti-Phishing Working Group (APWG)
4. Update threat intelligence feeds with IOCs
5. Document lessons learned for future prevention
Generate SOC Investigation Summary
Populate a ready-to-paste investigation report for your ticket or incident log.