Phishing Email Triage and Indicator Extraction

Actions

1. 1.Extract and defang all IOCs from the phishing email: sender address, reply-to address, sending IP, embedded URLs (defang with hxxp://), attachment hashes (SHA256), and any referenced domains
2. 2.Analyze email authentication headers: check SPF result (pass/fail/softfail), DKIM signature validity, and DMARC policy alignment to determine if the email is spoofed or from a compromised legitimate account
3. 3.Submit embedded URLs to urlscan.io and VirusTotal for reputation check and detonation results -- capture screenshots of the landing page without visiting directly
4. 4.Submit attachments to a malware sandbox (Any.Run, Joe Sandbox, Hybrid Analysis) for dynamic analysis -- note any C2 callbacks, dropped files, or credential harvesting behavior
5. 5.Query email gateway (Proofpoint/Mimecast/Defender) for the delivery scope: how many recipients received this email, how many interacted with it (clicked URL, opened attachment)
6. 6.Classify the phishing type: credential harvesting, malware delivery, BEC/impersonation, or reconnaissance -- this determines the response workflow

Queries

// KQL -- Delivery scope: all recipients of the phishing email
EmailEvents
| where SenderFromAddress == "<PHISHING_SENDER>"
| where Subject has "<PHISH_SUBJECT>"
| where Timestamp > ago(7d)
| summarize RecipientCount=dcount(RecipientEmailAddress), Recipients=make_set(RecipientEmailAddress),
  Delivered=countif(DeliveryAction == "Delivered"), Blocked=countif(DeliveryAction == "Blocked") by SenderFromAddress, Subject

// KQL -- URL click tracking for the phishing campaign
UrlClickEvents
| where Timestamp > ago(7d)
| where Url has "<PHISHING_DOMAIN>"
| project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough
| sort by Timestamp asc

// SPL -- Splunk: email gateway phishing delivery analysis
index=email sourcetype=proofpoint:pps
  sender="<PHISHING_SENDER>" OR subject="<PHISH_SUBJECT>"
| stats count by recipient action disposition
| sort -count