Email Phishing Analysis:
When a suspicious email is reported to the security team, what analysis will you perform as a SOC Analyst:
1. Sender and Domain Analysis
- Verify the Sender’s Email ID and Domain.
- Check the domain reputation using tools like:
- VirusTotal
- MXToolbox
- IPVoid
- Analyze domain details:
- Registration date
- Owner information
2. Subject Line Analysis
- Examine the subject line to determine the intent of the email:
- Phishing
- Social engineering
- Promotional content
3. Email Body Analysis
- Look for Indicators of Compromise (IOCs), such as:
- Urgency Tactics: Example: "Reset your account within an hour, or it will be disabled."
- Phishing URLs: Embedded URLs (e.g., within an “unsubscribe” button) designed to mislead users.
- Check the reputation of such URLs using trusted tools.
- Attachments:
- Analyze suspicious attachments in a sandbox to detect malicious behavior.
- Avoid uploading attachments to public repositories like VirusTotal to prevent attackers from detecting the investigation and potentially bypassing detection mechanisms.
4. Email Header Analysis
- Obtain the email header from the email properties.
- Perform header analysis:
- Use MXToolbox:
- Select “Header Analysis.”
- Paste the header and submit for a detailed report.
- Verify SPF, DKIM, and DMARC statuses.
5. SPF, DKIM, and DMARC Verification/Pass
- SPF (Sender Policy Framework)
- Authentication protocol specifying which IP addresses are authorized to send emails for a domain.
- SPF Alignment**: If the "From" field matches the "Return-Path" field, SPF alignment passes; otherwise, it fails.
- SPF Authentication: If the sender’s IP is authorized to send on behalf of the domain, SPF authentication passes; otherwise, it fails.
6. Mail Gateway Analysis
- Review fields like:
- From
- To
- Return-Path
- Subject Line
- Message ID
- Verify how many users received the email from the same domain/email ID.
- Export email details for documentation.
7. Reporting and Mitigation
- Document:
- Analysis details
- Findings
- IOCs (Indicators of Compromise)
- GTI (Global Threat Intelligence) details
- Share the findings with relevant teams.
- Coordinate with Network/IT/Admin teams to:
- Block the malicious email, domain, IP, and hash.