Embedded Files
Before diving into technical analysis, the first and most critical step is identifying how the phishing attempt was delivered. This determines the nature of the threat, relevant artifacts, and appropriate investigative tools and response actions.
Why it Matters
Each delivery method (email, SMS, voice, web, social media) requires different tools, techniques, and containment procedures.
Misidentifying the vector can lead to incomplete analysis, missed IOCs, or ineffective remediation.
It allows you to categorize the phishing attempts for threat intelligence, awareness campaigns, and internal reports.
Below is a summary of phishing analysis by delivery channel.
Example Scenario
An employee reports a strange email with a OneDrive link.
Channel: Email
Proceed with: Header analysis, link investigation, attachment behavior
A user receives a text that their bank account is locked and to click a link
Channel: SMS (Smishing)
Proceed with: URL reputation, domain checks, mobile response guidelines
A team member receives a LinkedIn message from a fake recruiter asking them to download a job description
Channel: Social Media / Messaging App
Proceed with: Profile investigation, file analysis, and platform abuse reporting
Questions to Ask When Identifying the Channel
Google Sites
Report abuse