Step-by-Step Investigation of a Phishing Email
End-to-end phishing email investigation workflow covering preservation, header analysis, URL and attachment forensics, user impact assessment, and containment response.
Step 1: Preserve and Isolate the Email
- Do NOT click any links or open attachments.
- Save the email in .eml or .msg format for analysis.
- Export the email headers for further investigation.
Step 2: Analyze Email Headers
Identify the True Sender (From vs. Return-Path vs. Received)
- Compare the “From” address with the “Return-Path” address.
- Look for display name spoofing (e.g., “Microsoft Support” with a non-Microsoft domain).
- Verify the “Received” headers for unexpected mail servers.
- Use tools like:
- MXToolbox (https://mxtoolbox.com/EmailHeaders.aspx)
- Google Admin Toolbox Message Header Analyzer (https://toolbox.googleapps.com/apps/messageheader/)
Check SPF, DKIM, and DMARC Authentication
- Verify SPF (Sender Policy Framework) to check if the sender’s IP is authorized.
- Validate DKIM (DomainKeys Identified Mail) to ensure the email content wasn’t altered.
- Check DMARC to confirm if the email aligns with the domain’s policy.
- Example of a spoofed email failing authentication:
Authentication-Results: spf=fail, dkim=fail, dmarc=fail
Step 3: Examine URLs & Links
Hover Over Links (Without Clicking)
- Check if displayed links match the actual hyperlink.
- Look for misspellings (e.g., microsoft-support.com instead of microsoft.com).
- Identify URL shortening services (bit.ly, tinyurl, etc.), which could obscure malicious links.
Extract and Analyze URLs
- Copy links (without clicking) and check them using:
- VirusTotal (https://www.virustotal.com)
- URLScan.io (https://urlscan.io/)
- Hybrid Analysis (https://www.hybrid-analysis.com/)
- Google Safe Browsing (https://transparencyreport.google.com/safe-browsing/search)
Decode Obfuscated URLs
- If the URL contains Base64-encoded text, decode it using CyberChef.
- Check for HTML entity encoding or JavaScript redirections.
Step 4: Investigate Attachments
Identify File Type
- Look at the file extension (e.g., .pdf, .docm, .xlsm, .zip).
- Use CyberChef to decode Base64 attachments and extract embedded payloads.
- If the file is a .zip, check the file signature using HxD and compare with Gary Kessler’s File Signature Database.
Scan Attachments for Malware
- Use sandboxes or threat intelligence platforms:
- VirusTotal
- Hybrid Analysis
- Any.Run (https://any.run/)
- Joe Sandbox (https://www.joesandbox.com/)
Inspect Macros & Embedded Code
- If the file is a Word document (.docm) or Excel file (.xlsm):
- Open in OLETools to extract macros:
olevba malicious.docm
- Look for suspicious commands (e.g., Powershell, cmd.exe, WScript).
Step 5: Check for User Interaction
Verify If the User Clicked the Link
- Check web proxy logs for requests matching the suspicious URL.
- Analyze Windows Event Logs for process execution (event ID 4688).
Check If the User Entered Credentials
- Look for HTTP POST requests to phishing pages in firewall logs.
- Check Active Directory logs for unusual login attempts.
Step 6: Investigate the Sender’s Domain
Perform a WHOIS Lookup
- Identify when the domain was registered:
- WHOIS Lookup (https://who.is)
- DomainTools (https://whois.domaintools.com/)
- If the domain is newly registered (within the last 30 days), it’s highly suspicious.
Check Domain Reputation
- Use tools like:
- Talos Intelligence (https://talosintelligence.com/)
- AbuseIPDB (https://www.abuseipdb.com/)
- URLhaus (https://urlhaus.abuse.ch/)
Step 7: Containment and Response
If Malicious:
- Block the sender’s email and domain.
- Blacklist malicious URLs in the proxy/firewall.
- Quarantine any downloaded attachments.
If User Clicked a Phishing Link:
- Reset the user’s password immediately.
- Enable Multi-Factor Authentication (MFA) if not already in place.
- Check for Active Directory logins from unusual locations.
If Malware Was Opened:
- Isolate the infected machine from the network.
- Run Sysmon logs analysis to track process execution.
Summary of Key Investigation Steps
| Step | Action | Tools |
|---|---|---|
| Preserve Email | Save in .eml or .msg format | Email Client |
| Analyze Headers | Check SPF, DKIM, DMARC | MXToolbox, Google Admin Toolbox |
| Extract URLs | Decode and scan for threats | VirusTotal, URLScan.io |
| Investigate Attachments | Check macros, file signatures | CyberChef, Hybrid Analysis |
| Verify User Activity | Check logs for execution & login attempts | SIEM, Windows Event Logs |
| Analyze Sender Domain | Check WHOIS & reputation | DomainTools, Talos Intelligence |
| Contain & Respond | Block sender, reset passwords, scan endpoints | Firewall, EDR, SIEM |