Mail Phishing Investigation – Workflow & Best Practices

Email Phishing Analysis refers to the process of identifying, investigating, and validating whether a suspicious email is actually a phishing attempt.

It is a key part of cybersecurity, SOC operations, and incident response.

Email Phishing Analysis Workflow 🛡️

When a suspicious email is reported to the security team, a SOC Analyst follows a structured process to determine whether it’s legitimate or malicious. Below is a refined investigation workflow:

• Sender & Domain Analysis
• Subject Line Analysis
• Email Body Analysis
• Email Header Analysis
• SPF, DKIM, and DMARC Verification
• Mail Gateway Analysis
• Reporting & Mitigation

🔍 1. Sender & Domain Analysis

Start by validating the sender’s email address and the domain it originates from.

Actions:
Check the domain reputation using tools such as:

• VirusTotal
• MXToolbox
• IPVoid

Review domain registration details

• Creation date
• Registrant information (organization, country, etc.)

Look for red flags like newly created domains, mismatched sender names, or suspicious hosting providers.

🧠 2. Subject Line Analysis

Examine the subject line to understand the intent behind the email.

• Phishing indicators (e.g., urgent account notifications)
• Social engineering tactics
• Promotional or spam-like language

Assess whether the subject is designed to provoke urgency, fear, or curiosity.

📬 3. Email Body Analysis

Analyze the content of the email for potential Indicators of Compromise (IOCs).

Common IOCs:

• Urgency or scare tactics

Example: “Your account will be disabled in 1 hour—take action now.”

• Suspicious embedded URLs
• Hover over links to verify their true destination.
• Pay special attention to hidden links in buttons like “unsubscribe.”
• URL reputation checks
• Use secure, trusted tools without directly interacting with the link.
• Attachments
• Analyze unknown attachments in a sandboxed environment
• ⚠️ Avoid uploading sensitive files to public scanners (e.g., VirusTotal) to prevent alerting attackers.

📨 4. Email Header Analysis

Email headers reveal behind-the-scenes information about the message path and authenticity.

• Extract the full header from the user’s email client.
• Use tools like MXToolbox → Header Analyzer for a detailed breakdown.

Verify:

• Source IPs
• Relay hops
• SPF, DKIM, and DMARC results
• Message ID consistency

Headers often expose spoofing or unusual sending servers.

✅ 5. SPF, DKIM, and DMARC Verification

Authentication protocols help determine whether the email actually comes from the claimed sender.

SPF (Sender Policy Framework)

• Confirms whether the sending IP is authorized.
• Alignment: Passes if the “From” address matches the “Return-Path.”
• Authentication: Passes if the sending IP is listed in the domain’s SPF record.

DKIM (DomainKeys Identified Mail)

• Uses a cryptographic signature to ensure integrity.
• Alignment: Passes if the DKIM domain matches the “From” domain.
• Authentication: Fails if the DKIM signature cannot be validated.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

• Relies on both SPF and DKIM.
• Policies determine how receiving servers handle failures:

1. None: Deliver normally
2. Quarantine: Move to spam
3. Reject: Block entirely

🛠️ 6. Mail Gateway Analysis

Review how the email was processed by the organization’s email gateway.

Check:

• From, To, Return-Path
• Subject and Message-ID
• Routing details and filtering logs

Determine whether other users received the same message and document distribution patterns or anomalies.

📊 7. Reporting & Mitigation

Compile a full report summarizing your findings.

• Detailed analysis notes
• Identified IOCs
• GTI (Global Threat Intelligence) references
• A final verdict (malicious, suspicious, or safe)

Mitigation Actions:

• Block malicious
• Domains
• IP addresses
• URLs
• File hashes
• Coordinate with IT/Network teams to implement blocks and notify affected users.
• Update internal threat intel databases for future reference.