Skip to main content
HashnodeWoogi's Infosec Blog

Command Palette

Search for a command to run...

Phishing Analysis: A Blue Team Guide to Email Threat Investigation

From email protocols to artifact collection, analysis tools, and defensive actions

Updated
8 min read
J
Jaewook Jung
Part of seriesWrtieups

This post covers the full analysis workflow — how email works, types of phishing, collecting artifacts, analyzing them with tools, and taking defensive action.

How Email Works

Before analyzing phishing, need to understand the protocols behind it.

  • SMTP (Simple Mail Transfer Protocol) — sends emails. TCP port 587 (TLS) or legacy port 25.

  • POP3 (Post Office Protocol) — downloads email to local client and deletes from server.

  • IMAP (Internet Message Access Protocol) — keeps email on server, accessible from any device.

Email Delivery Flow

Sender's client → Outbound SMTP server → DNS lookup (recipient domain) 
→ Route through internet → Recipient SMTP server → Recipient client (POP3/IMAP)

The key takeaway: email passes through multiple servers. Each server adds headers. These headers are what we analyze.

Types of Phishing

Type Goal Key Characteristics
Recon Gather information Delivery receipts, tracking pixels, verify active email
Credential Harvesting Steal logins Fake login pages, look-alike domains
Malware Delivery Execute code Malicious attachments (.doc macros, .exe, .pdf.bat)
Spear Phishing Target specific person Personalized content from OSINT
Whaling Target executives Impersonation of business partners, high-value
BEC Financial fraud Impersonate CEO/CFO, request wire transfers
Vishing/Smishing Phone/SMS phishing Voice calls or texts with malicious links

Tactics Attackers Use

  • Impersonation — pretend to be a trusted entity (colleague, vendor, IT support)

  • Sender Spoofing — forge the "From" address to look legitimate

  • Typosquatting — register look-alike domains (e.g., amaz0n.com, rnicrosoft.com)

  • Homograph Attacks — use unicode characters that look identical (e.g., Cyrillic "а" vs Latin "a")

  • HTML Styling — hide the real URL behind styled buttons

  • URL Shortening — obscure destination using bit.ly, tinyurl

  • Legitimate Service Abuse — host payloads on Google Docs, Dropbox, OneDrive

Collecting Artifacts

This is the core of phishing analysis. Collect everything before blocking anything.

Email Artifacts

  • Sending address — display name vs. actual address (often different)

  • Reply-to address — critical indicator. Attackers often set a different reply-to to bypass sender verification.

  • Date and time — track campaign trends

  • Originating IP — check X-Sender-IP or X-Originating-IP in headers

  • Subject line — useful for finding similar phishing emails across mailboxes

  • Recipients — check BCC field for hidden recipients (mass campaign indicator)

Web Artifacts

  • Full URLs — copy via right-click "Copy Link Destination". Never click. Never hand-type.

  • Root domain — determine if it's a malicious domain or a compromised legitimate site

  • Redirect chains — follow 302 hops through multiple domains to find the actual phishing page

File Artifacts

  • Attachment filename + extension — for EDR blocking rules

  • SHA256 hash — standard for VirusTotal lookups. Avoid MD5/SHA1 (hash collision vulnerabilities).

How to Extract Email Headers

Open the .eml file in a text editor (Sublime Text works well).

Use CTRL+F to search for:

  • From — sender email address

  • To — recipient

  • Subject — subject line

  • Date — timestamp

  • X-Sender-IP or X-Originating-IP — originating IP

  • Reply-To — reply address (if different from sender, suspicious)

  • Content-Transfer-Encoding — check for Base64 encoded content

Here's an example — opening a phishing email in Sublime Text and searching for the originating IP:

Reverse DNS Lookup

Once you have the sending server IP, verify it with a WHOIS lookup:

  • MXToolboxhttps://mxtoolbox.com/ReverseLookup.aspx

  • Compare the resolved hostname against the claimed sender domain

  • If it doesn't match, likely spoofed

Decoding Base64 Content

Some phishing emails encode their body in Base64 to bypass filters.

  • Open CyberChef (https://gchq.github.io/CyberChef/)

  • Paste the encoded content

  • Apply "From Base64" recipe

  • This reveals hidden URLs, embedded images, and actual email content

Analysis Tools

Category Tools Purpose
Visualization URL2PNG, URLScan.io Safely screenshot/render URLs without visiting
URL Reputation VirusTotal, URLhaus, PhishTank Check if URL is known malicious
File Reputation VirusTotal, Talos File Reputation Check file hash against known malware
Malware Sandboxing Any.Run, Hybrid Analysis, Joe Sandbox Detonate suspicious files safely
Email Analysis PhishTool, Thunderbird + Sublime Text Parse email structure and headers
WHOIS/DNS DomainTools WHOIS, dig, nslookup Domain registration and IP ownership

Investigation Workflow

  1. Extract all artifacts from the email

  2. Check sender IP with Reverse DNS

  3. Screenshot any URLs with URL2PNG or URLScan.io

  4. Check URLs against VirusTotal, URLhaus, PhishTank

  5. If attachments exist — get SHA256 hash, check VirusTotal, detonate in sandbox

  6. Check domain registration date (WHOIS) — newly registered domains are suspicious

  7. Document everything

Real Investigation: Following a Redirect Chain

Phishing emails often use multiple redirects to hide the actual destination. Here's a walkthrough from a real investigation.

The Setup

A phishing email impersonating Disney+ was targeting German users. The email contained a link — but the link didn't go directly to the phishing site.

First, copy the link (right-click, never click) and decode it:

Following the Redirects

The first URL returns an HTTP 302 Found — a redirect:

Check the HTTP header to find where it's redirecting to:

After following the full redirect chain, we reach the actual phishing domain:

Analyzing the Credential Harvester

The phishing page contained JavaScript that collected user credentials. Investigating the JS revealed what data was being harvested:

The stolen data was POST'ed to a specific endpoint:

WHOIS and Infrastructure Analysis

Checking the WHOIS record — the domain was registered just 2 days before the phishing email was sent:

The hosting server was located in Russia:

And the same server was hosting 10+ other credential harvesters, all targeting banks:

Key Takeaways from This Investigation

  • One phishing email led to a full infrastructure of credential harvesters

  • Redirect chains are used to evade URL reputation checks

  • WHOIS registration date is a strong indicator — freshly registered domains targeting your org are suspicious

  • Always investigate the hosting infrastructure — you might find more campaigns

Defensive Actions

Preventative

SPF (Sender Policy Framework)

  • DNS TXT record that defines which servers can send emails for your domain

  • Syntax: v=spf1 a: include:mailgun.org protection.outlook.com -all

  • -all = hard fail — block unauthorized senders

DKIM (DomainKeys Identified Mail)

  • Cryptographic signature to verify email authenticity

  • Sender's mail server generates an encrypted hash (private key) → added to email header

  • Recipient server verifies with public key stored in DNS

  • Syntax: V=DKIM1 <key type> <public key>

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • Builds on SPF + DKIM. Lets domain owners set policy for failed authentication:

    • p=none — monitoring only

    • p=quarantine — send to spam

    • p=reject — block completely

  • Example: v=DMARC1; p=quarantine; rua=mailto:admin@company.com

  • Generates reports for monitoring authentication failures

Other Preventative Measures:

  • Spam filters (content and reputation-based)

  • Attachment sandboxing — detonate before delivery

  • External email banners — warn users about external senders

  • Security awareness training

Reactive

When a phishing email is confirmed:

  1. Quarantine — remove from all mailboxes that received it

  2. Notify — alert affected users immediately

  3. Block sender — add sending address/domain to mail gateway blocklist

  4. Block URLs — add malicious URLs/domains to proxy or firewall blocklists

  5. Block file hashes — add to EDR/antivirus blocklists

  6. Reset credentials — if any user clicked and submitted credentials

Sanitizing Artifacts for Reports

Before sharing IOCs in reports or tickets, defang them to prevent accidental clicks:

  • URLs: hXXps://malicious[.]com/phish

  • IPs: 192.168.1[.]1

  • Emails: attacker[@]evil[.]com

Phishing Report Template

A proper phishing analysis report should include:

  1. Email Header Info — sender, recipient, date, originating IP, subject

  2. Artifacts & Body Content — URLs, attachments, embedded content with sanitized IOCs

  3. Analysis Process & Results — which tools were used, what they found

  4. Classification — recon, credential harvester, malware delivery, BEC

  5. Defensive Measures Taken — what was blocked, who was notified

  6. Attached Evidence — original .eml or .msg file, screenshots

Key Takeaways

  • Always collect artifacts before blocking — you need the evidence

  • Reply-To address is one of the most reliable phishing indicators

  • Use SHA256 for file hash lookups (not MD5/SHA1)

  • Never click links directly — use right-click "Copy Link Destination" or extract from text editor

  • SPF + DKIM + DMARC together provide layered email authentication

  • Sanitize all IOCs before sharing in reports

  • Check domain WHOIS — newly registered domains targeting your org is a strong indicator

  • Investigate the infrastructure — one phishing domain often hosts many campaigns

#phishing#blue-team#cybersecurity#email-security#soc

Wrtieups

Part 1 of 1

"Practical Writeups for Blue Team Lab and CTFs."

More from this blog

W

Woogi's Infosec Blog

2 posts