Phishing Email Triage and Indicator Extraction
Rapidly triage a reported phishing email to extract indicators of compromise, assess the threat level, and determine the scope of delivery across the organization.
Actions
- 1
Extract and defang all IOCs from the phishing email: sender address, reply-to address, sending IP, embedded URLs (defang with hxxp://), attachment hashes (SHA256), and any referenced domains
- 2
Analyze email authentication headers: check SPF result (pass/fail/softfail), DKIM signature validity, and DMARC policy alignment to determine if the email is spoofed or from a compromised legitimate account
- 3
Submit embedded URLs to urlscan.io and VirusTotal for reputation check and detonation results -- capture screenshots of the landing page without visiting directly
- 4
Submit attachments to a malware sandbox (Any.Run, Joe Sandbox, Hybrid Analysis) for dynamic analysis -- note any C2 callbacks, dropped files, or credential harvesting behavior
- 5
Query email gateway (Proofpoint/Mimecast/Defender) for the delivery scope: how many recipients received this email, how many interacted with it (clicked URL, opened attachment)
- 6
Classify the phishing type: credential harvesting, malware delivery, BEC/impersonation, or reconnaissance -- this determines the response workflow
Queries
// KQL -- Delivery scope: all recipients of the phishing email EmailEvents | where SenderFromAddress == "<PHISHING_SENDER>" | where Subject has "<PHISH_SUBJECT>" | where Timestamp > ago(7d) | summarize RecipientCount=dcount(RecipientEmailAddress), Recipients=make_set(RecipientEmailAddress), Delivered=countif(DeliveryAction == "Delivered"), Blocked=countif(DeliveryAction == "Blocked") by SenderFromAddress, Subject
// KQL -- URL click tracking for the phishing campaign UrlClickEvents | where Timestamp > ago(7d) | where Url has "<PHISHING_DOMAIN>" | project Timestamp, AccountUpn, Url, ActionType, IsClickedThrough | sort by Timestamp asc
// SPL -- Splunk: email gateway phishing delivery analysis index=email sourcetype=proofpoint:pps sender="<PHISHING_SENDER>" OR subject="<PHISH_SUBJECT>" | stats count by recipient action disposition | sort -count
index=proxy sourcetype=bluecoat:proxysg OR sourcetype=zscaler:web cs_host="<PHISHING_DOMAIN>" | stats count, earliest(_time) AS first_click, latest(_time) AS last_click by cs_username, cs_host, cs_uri_stem | sort first_click
Notes
Never click phishing URLs directly -- always use sandboxed analysis tools or URL scanners
BEC emails typically have no malicious payload (no URL, no attachment) -- the social engineering IS the attack. Classify these differently
The click-through count directly determines containment scope: every user who clicked needs credential reset and endpoint investigation