Advance analysis of Phishing mails as a SOC Analyst

 What is Phishing?
-Phishing is the art of deception — attackers impersonate legitimate entities to steal credentials, MFA tokens, financial data, and more.
It is commonly used in APT campaigns, ransomware deployments, credential harvesting operations.
Phishing leverages human psychology rather than technical exploits, making it highly effective against organizations even with the strongest security measures.

How Phishing attack works? Attack Life-Cycle

Recon - Attackers gather data social media websites, company webpage, etc.
Westernization - Crafts a malicious payload ( could be a link to fake login page or weaponized attachment
Delivery - Email (most common), SMS (Smishing), VoIP (Vishing), social media, or collaboration tools (Teams, Slack).
Exploitation : Victim clicks link, enters credentials or opens attachment, triggering malicious behavior.
Installation/Action on Objectives : Credential theft, session hijack, ransomware delivery, or privilege escalation follows.
Credentials may be sold on darknet markets or reused in lateral movement.

Types of Phishing attacks :
1) Spear Phishing : Highly targeted, focus on single victim, Attacker tailors emails to a specfic individual using personal/company info. This info would be collected durin recon phase.
Sources of info : data in earlier breaches, social media website

2) Whaling : Targets C-level executives, Usually disguised as urgent buisness communication or legal threats.

3) Clone Phishing : Attackers clones a legitimate previously sent mail, but swaps the original link/attachments with malicious ones.

4) Vishing (Voice Phishing) : Attacker calls targets pretending to be tech support, bank rep, etc and tries to gain trust of the victim by using information collected during recon.
Often used to get OTPs, MFA tokens, scams, etc.

5) Smishing (SMS Phishing) : Attackers uses SMS for delivering payloads. SMS are crafted to impersonate delivery alerts, bank transaction alerts, password reset, etc.

6) Pharming : Attacker modifies DNS cache or sets up his own rogue DNS server redirecting victims to his malicious payloads.

7) Angler Phishing : Attacker uses fake social media profiles and customer support channels to lure victims.


Phishing Techniques :

1) Email spoofing : Fake email headers to look legit.
2) HTML Smuggling : Encoded payload in JS or HTML, evades filters
3) Link Shortening : Masks malicious URLs
4) Fake Login Pages : Clones legit websites but with malicious links/attachments
5) Attachment based attacks : weaponized Excel/word/zip files
6) Captcha bypass : Real captcha(s) are displayed to appear legit before phishing.
7) Delayed redirection : activates payload with a delay of minutes/hours/days


Analyzing Phishing mails as a SOC Analyst :

1) Alert Intake : Phishing alerts are generated by - Email security gateways ( eg. proofpoint, mimecast, etc), SIEM Platforms, user reports ( via Phish alert button or ticketing system)

2) Content Inspection :
 Look for social engineering triggers like urgent language, finance-related terms( gift cards, invoice, payment, reward, etc ), Credential request phrasing, check language, tone, grammar inconsistencies 

3) Header Analysis
Key fields to be checked : Return-path, Reply-to, From
IP reputation ( via AbuseIPDB, virustotal, etc )
Authentication Status (DKIM, DMARC, SPF)
X-Originating-IP for tracing sender location

4) URL & Attachment Analysis
-Extract any links/attachments from the email and check for its reputation on Threat Intel platforms like AbuseIPDB, Virus total, etc.
-Run attachments in a sandboxed environment and monitor for any anomaly. Tools to use here : Any.run or Cuckoo sandbox or any other similar platform
-Deobfuscate shortened or encoded URLS

5) Endpoint & User co-relation
- Check endpoint logs for any link clicks (proxy logs, firewall)
- Attachment execution (EDR)
-Auth events from strange geolocations (AzureAD, Okta, VPN logs)

6) Verdict & Response
Benign : No action
Alert marked as  : False Positive
Example: Marketing email with suspicious-looking link but legitimate sender

Suspicious : Quarantine , notify user and monitor
Alert marked as  : False Positive ( alert generated = true, attack happened = no)

Malicious : Contain the compromised endpoints, Block domains/IPs in firewall/email filtering gateways, Report indicators to threat intel platforms, generate IOC rules to fine tune the security system.

Alert marked as : True Positive

7) Documentation
- Alert Summary
- Email Metadata
- Technical Analysis
- Impact Assessment
- Response Actions
- Conclusion
- Artifact Links/Attachments