Phishing Artifact Collection: Headers, URLs, Attachments

CollectionP160 min

🎣 Phishing 📧 Business Email Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

Collect all forensic artifacts from the phishing campaign including email evidence, malware samples, credential harvesting infrastructure details, and user interaction data for comprehensive analysis.

Actions

1.Collect all unique phishing email variants (there may be multiple with slight variations): export each variant as EML with full headers and catalogue sender IPs, URLs, and attachment hashes
2.Download and archive the phishing landing page using wget --mirror or HTTrack: capture the full credential harvesting kit for analysis and IOC extraction
3.Collect email gateway logs for all delivery attempts (successful and blocked) to understand the full scope of the campaign targeting your organization
4.Gather EDR telemetry from endpoints where users clicked phishing links or opened attachments: process execution trees, network connections, file writes, and registry modifications
5.Collect Azure AD sign-in logs for all users who interacted with the phishing email to identify any successful credential compromise and subsequent unauthorized access
6.If credentials were harvested, collect proxy and firewall logs showing connections to the phishing domain to identify any data exfiltration or C2 activity using the stolen credentials

Queries

// KQL -- Comprehensive phishing campaign artifact collection
let phish_recipients = EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>" and Subject has "<SUBJECT>"
| distinct RecipientEmailAddress;
let clickers = UrlClickEvents
| where Url has "<PHISHING_DOMAIN>"
| distinct AccountUpn;
// Endpoint telemetry for clickers
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountUpn in (clickers) or InitiatingProcessAccountUpn in (clickers)
| where InitiatingProcessFileName in~ ("outlook.exe","chrome.exe","msedge.exe","firefox.exe")
| project Timestamp, DeviceName, AccountUpn, FileName, ProcessCommandLine
| sort by Timestamp asc

// KQL -- Post-click sign-in activity (credential compromise check)
let clickers = UrlClickEvents
| where Url has "<PHISHING_DOMAIN>"
| distinct AccountUpn;
SigninLogs
| where Timestamp > ago(7d)
| where UserPrincipalName in (clickers)
| where ResultType == "0"
| project Timestamp, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail
| sort by Timestamp asc

// PowerShell -- Download phishing page for analysis (from isolated VM)
# wget --mirror --convert-links --adjust-extension --no-parent "hxxps://<PHISHING_URL>"
# Calculate hash of downloaded content:
Get-ChildItem -Path .\phishing_site_mirror -Recurse -File | ForEach-Object { Get-FileHash $_.FullName -Algorithm SHA256 } | Export-Csv phishing_site_hashes.csv

Notes

Download phishing landing pages from an isolated analysis VM -- never from a corporate workstation
Phishing kits often contain configuration files with the attacker email address where harvested credentials are sent -- extract this for attribution and law enforcement
Collect all email variants: sophisticated campaigns send slightly different emails to different recipients to evade detection

Where to Go Next

Artifacts collected, analyze campaign scope

Analyze phishing campaign scope

Phishing Campaign Analysis

Need Azure AD sign-in data

Collect Azure AD logs

Azure AD Logs

Need EDR telemetry from endpoints

Collect EDR telemetry

EDR Collection

Related Artifacts

Azure AD (Entra ID) Sign-in Logs

Azure Portal > Entra ID > Monitoring > Sign-in logs (or Microsoft Graph API /auditLogs/signIns)

Email Security Gateway Logs

Email gateway console (Proofpoint, Mimecast, Barracuda, Cisco IronPort/ESA) or syslog output

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical