Phishing Analysis

Introduction

Phishing Analysis is the methodical process of analyzing a suspected phishing attack for indicators of compromise/attack. While email is the most common vector, modern phishing campaigns exploit SMS (smishing), voice calls (vishing), social media, and web-based attack surfaces. (Check the Phishing Attacks article for a refresher.)

SOC Analysts must be able to systematically analyze phishing attempts, determine their legitimacy, identify Indicators of Compromise (IOCs), and recommend remediation steps. This guide presents a generalized phishing analysis methodology that is scalable, channel-agnostic, and operationally practical.

Phishing analysis can be broken down into the 9 phases listed below.

• Phase 1: Identify the Delivery Channel

• Phase 2: Collect Artifacts

• Phase 3: Verify Sender Authenticity

• Phase 4: Analyze the Content

• Phase 5: Threat Intelligence & IOC Enrichment

• Phase 6: Determine Verdict

• Phase 7: Respond and Contain

• Phase 8: Report and Document

• Phase 9: Educate and Improve

TIP: Keeping detailed notes throughout the various phases and steps is crucial. Doing so will enable a security analyst to note down all IOCs, recreate an accurate timeline of events, correlate the artifacts and events to within known threat actors, tactics, techniques, and procedures, assist other security team members to follow efficiently, and assist with remediating any misconfigurations or security flaws, thereby mitigating future vulnerabilities, threats, and attacks.

As covered in Phase 2: Collect Artifacts, depending on the type of phishing attack (and thus communication channel), phishing analysis can be divided into four areas: Domain Analysis, URL Analysis, Attachment Analysis, and Email Header Analysis.

Resources

Header Image - Photo by National Cancer Institute on Unsplash 

• Email Phishing Analysis Methodology Flow Chart