Phishing Artifact Collection: Headers, URLs, Attachments
Collect all forensic artifacts from the phishing campaign including email evidence, malware samples, credential harvesting infrastructure details, and user interaction data for comprehensive analysis.
Actions
- 1
Collect all unique phishing email variants (there may be multiple with slight variations): export each variant as EML with full headers and catalogue sender IPs, URLs, and attachment hashes
- 2
Download and archive the phishing landing page using wget --mirror or HTTrack: capture the full credential harvesting kit for analysis and IOC extraction
- 3
Collect email gateway logs for all delivery attempts (successful and blocked) to understand the full scope of the campaign targeting your organization
- 4
Gather EDR telemetry from endpoints where users clicked phishing links or opened attachments: process execution trees, network connections, file writes, and registry modifications
- 5
Collect Azure AD sign-in logs for all users who interacted with the phishing email to identify any successful credential compromise and subsequent unauthorized access
- 6
If credentials were harvested, collect proxy and firewall logs showing connections to the phishing domain to identify any data exfiltration or C2 activity using the stolen credentials
Queries
// KQL -- Comprehensive phishing campaign artifact collection
let phish_recipients = EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>" and Subject has "<SUBJECT>"
| distinct RecipientEmailAddress;
let clickers = UrlClickEvents
| where Url has "<PHISHING_DOMAIN>"
| distinct AccountUpn;
// Endpoint telemetry for clickers
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountUpn in (clickers) or InitiatingProcessAccountUpn in (clickers)
| where InitiatingProcessFileName in~ ("outlook.exe","chrome.exe","msedge.exe","firefox.exe")
| project Timestamp, DeviceName, AccountUpn, FileName, ProcessCommandLine
| sort by Timestamp asc// KQL -- Post-click sign-in activity (credential compromise check) let clickers = UrlClickEvents | where Url has "<PHISHING_DOMAIN>" | distinct AccountUpn; SigninLogs | where Timestamp > ago(7d) | where UserPrincipalName in (clickers) | where ResultType == "0" | project Timestamp, UserPrincipalName, AppDisplayName, IPAddress, Location, DeviceDetail | sort by Timestamp asc
// PowerShell -- Download phishing page for analysis (from isolated VM)
# wget --mirror --convert-links --adjust-extension --no-parent "hxxps://<PHISHING_URL>"
# Calculate hash of downloaded content:
Get-ChildItem -Path .\phishing_site_mirror -Recurse -File | ForEach-Object { Get-FileHash $_.FullName -Algorithm SHA256 } | Export-Csv phishing_site_hashes.csvindex=email sourcetype=proofpoint:pps OR sourcetype=mimecast:email sender="<PHISHING_SENDER>" | stats count, values(subject) AS subjects, values(recipient) AS recipients, dc(recipient) AS recipient_count by sender, sender_domain | sort -count
index=proxy sourcetype=bluecoat:proxysg OR sourcetype=zscaler:web cs_host="<PHISHING_DOMAIN>" | stats count by cs_username, cs_host, cs_uri_stem, sc_status | sort -count
Notes
Download phishing landing pages from an isolated analysis VM -- never from a corporate workstation
Phishing kits often contain configuration files with the attacker email address where harvested credentials are sent -- extract this for attribution and law enforcement
Collect all email variants: sophisticated campaigns send slightly different emails to different recipients to evade detection