Phishing Email Investigation

When You See This

1. 1

   Email security gateway flags an inbound message as suspicious

2. 2

   User reports a phishing email via the report button or help desk

3. 3

   SIEM alert fires on a user clicking a URL categorized as newly registered or low-reputation

4. 4

   XDR detects a process spawn from an email attachment (e.g., Word spawning PowerShell)

5. 5

   Multiple users receive the same suspicious email within a short time window

6. 6

   Authentication logs show login attempts from a location inconsistent with the user profile shortly after email delivery

Investigation Steps

1. 1

   Analyze email headers and metadata

   Extract the full email headers and examine the sending infrastructure. Check SPF, DKIM, and DMARC alignment. Look for display name spoofing where the "From" name differs from the actual sending address. Note the originating IP and check it against threat intelligence feeds. Identify whether the email was sent to a single recipient or part of a mass campaign by examining the recipient list and email gateway logs.

   SIEM

   Splunk SPLMicrosoft KQLElastic Lucene

   index=email sourcetype=exchange OR sourcetype=o365 sender_domain="suspicious-domain.com" | stats count by recipient, subject, sender_ip

   index=email action=delivered | where match(sender_display, "(?i)IT Support|Helpdesk|Admin") AND NOT match(sender_address, "@company\.com$") | table _time, sender_display, sender_address, recipient, subject

2. 2

   Inspect URLs and attachments

   Extract all URLs from the email body and attachments. Check each URL against threat intelligence services, looking for newly registered domains (< 30 days), URL shorteners redirecting to unknown destinations, and domains that typosquat legitimate services. For attachments, check file hashes against VirusTotal or similar services. Note any macro-enabled documents, password-protected archives, or double-extension files.

   SIEMFirewall

   Splunk SPLMicrosoft KQLElastic Lucene

   index=proxy url="*suspicious-domain*" | stats count by src_ip, url, http_status | sort -count

   index=email attachment_hash=* | lookup threat_intel hash AS attachment_hash OUTPUT threat_name, confidence | where isnotnull(threat_name)

   Decision Point

   If: URL leads to a credential harvesting page or attachment contains malware

   Yes → Immediately escalate to Tier 2 and proceed to Step 5 (containment). This is now an active incident.

   No → Continue investigation. The email may still be malicious. proceed to Step 3.

3. 3

   Determine if any user interacted

   Search proxy logs, DNS logs, and endpoint telemetry to determine if any recipient clicked the URL or opened the attachment. Check web proxy logs for connections to the suspicious domain. Review endpoint detection logs for process creation events linked to email client applications. Look for signs of credential submission by checking authentication logs for the targeted service.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=proxy OR index=dns dest="suspicious-domain.com" | stats earliest(_time) as first_seen, latest(_time) as last_seen, count by src_ip, user

   index=endpoint parent_process_name IN ("outlook.exe", "thunderbird.exe") | stats count by dest_host, process_name, process_command_line | sort -count

   Decision Point

   If: A user clicked the link or opened the attachment

   Yes → Move to Step 4 to assess credential compromise and potential malware execution.

   No → Good news; no interaction detected. Skip to Step 6 to document and close. Block the sender domain as a precaution.

4. 4

   Assess credential compromise

   If a user interacted with a credential harvesting page, check authentication logs for the affected account. Look for successful logins from new IP addresses or locations, especially within 1-4 hours of the phishing email delivery. Check for MFA bypass attempts, new MFA device enrollments, or OAuth application consent grants. Review mailbox rules for auto-forwarding to external addresses.

   SIEMXDR

   Splunk SPLMicrosoft KQLElastic Lucene

   index=auth user="affected_user" | stats count by src_ip, action, app | where src_ip!="known_corporate_ranges"

   index=azure_ad OR index=okta eventType IN ("user.session.start", "policy.evaluate_sign_on") user="affected_user" | timechart span=1h count by outcome

   Decision Point

   If: Unauthorized access detected or credentials confirmed compromised

   Yes → Escalate to Incident Response. Immediately reset the password, revoke all sessions, and review recent account activity for data access.

   No → Reset the password as a precaution. Monitor the account for 48 hours for suspicious activity.

5. 5

   Contain the threat

   Based on your findings, take appropriate containment actions. Block the malicious sender domain and URLs at the email gateway and web proxy. If credentials were compromised, force a password reset and revoke active sessions. If malware was executed, isolate the affected endpoint. Search for and remove the phishing email from all recipient mailboxes using email admin tools.

   SIEMXDRFirewall

   Splunk SPLMicrosoft KQLElastic Lucene

   index=email subject="exact phishing subject" action=delivered | stats count by recipient | outputlookup phishing_recipients.csv

6. 6

   Document findings and close

   Record all investigation findings including: initial alert source, email analysis results, list of affected users, containment actions taken, and recommendations for prevention. Update the ticket with IOCs (malicious URLs, sender addresses, file hashes) for threat intelligence. If this was a targeted attack, note the target selection pattern for future monitoring. Close the alert with appropriate classification (true positive or false positive).

   SIEM

Common Mistakes

1. 1

   Only checking the displayed sender name instead of examining the full email headers and actual sending address

2. 2

   Failing to search for other recipients of the same phishing campaign; one user report often means dozens received it

3. 3

   Closing the alert after confirming "no click" without blocking the malicious domain for future protection

4. 4

   Not checking for auto-forwarding rules that attackers add to compromised mailboxes for persistent access

5. 5

   Assuming the investigation is complete after password reset without monitoring for continued unauthorized access

Escalation Criteria

• User submitted credentials to a harvesting page and unauthorized access is confirmed

• Malware executed on an endpoint after attachment was opened

• Targeted spearphishing against executives or employees with privileged access

• Campaign targeting multiple users simultaneously, suggesting coordinated attack

Frequently Asked Questions

How long should a phishing investigation take?

A straightforward phishing investigation where no user interacted should take 15-25 minutes. If credentials were compromised or malware executed, the investigation expands to 1-3 hours as you assess lateral movement and data access. The key is not rushing the initial triage; missing a credential compromise in the first pass creates much larger problems.

What is the difference between phishing and spearphishing?

Phishing is a mass campaign sent to many recipients with generic lures (fake invoices, password resets). Spearphishing targets specific individuals using personalized content gathered through reconnaissance, mentioning real projects, colleagues, or recent events. Spearphishing requires more investigation effort because the emails appear more legitimate and may bypass standard email filters.

Should I block the sender domain immediately?

Yes, if you have confirmed the email is malicious. Block at the email gateway and add the domain to your web proxy blocklist. However, be cautious with domains that are typosquats of legitimate services; blocking too broadly could impact business operations. Always verify the domain is not a legitimate service before blocking.

How do I practice phishing investigations?

SOCSimulator provides realistic phishing scenarios in both Operations rooms and Shift Mode. You can investigate AI-generated phishing campaigns with real SIEM alerts, email headers, and proxy logs, building the muscle memory you need for production SOC work. Start free forever at socsimulator.com.