Advanced email phishing analysis: SOC investigation workflow

Discover how SOC security teams can investigate phishing emails using advanced methods beyond automated tools.

Phishing attacks, especially those using email services, remain the primary method used by cybercriminals to break into even the best-secured organizations. Most cyberattacks start with a phishing email. With the rise of generative AI technology and its availability, cybercriminals can create phishing emails that are harder to spot.

Phishing emails use different tactics. Some contain malicious links that lead victims to fake login pages to steal their credentials. Others have harmful attachments that install malware when opened. Some use social engineering tricks to manipulate recipients into sending money or revealing sensitive information. Recent campaigns have taken advantage of AI-generated content to create convincing emails impersonating CEOs, fake invoice notifications from trusted vendors, and complex business email scams targeting finance departments.

Traditional email security filters struggle against these upgraded threats. Attackers now use techniques like hosting harmful content on legitimate cloud services, employing URL shorteners to hide true destinations, and crafting messages that seem relevant and real.

Phishing email SOC investigation workflow

Suppose you have just received an alert about a suspicious email, the email does not look malicious at first sight; however, you spot some anomalies that are worth further investigation.

The first thing we need to do is to perform a basic check and preserve the email for analysis.

The initial triage & preservation

The first thing we need to do is to avoid engaging with the email, such as clicking on links, opening attachments or replying to it. We should also avoid enabling macros in the attachment if it contains an MS Office file.

Now we need to export the original email as an .eml or .msg file to preserve a clear copy of it. You can use the "Save As" or "Download" function within your email client to download the email in this format.

To view the email header, which is a digital log of the email journey from its sender to your inbox, you need to access the "More actions", "Show original" or "View Source" option within your email client. This will display the full header information, which includes details like sender, recipient, timestamps, and routing information. 

It is worth noting that all subsequent steps of analyzing URL and attachments in this guide should be performed in an isolated environment to avoid infecting your production system with malware.

Inspect sender & domain analysis

The first thing we need to do is to verify sender authenticity by checking the following:

SPF, DKIM, DMARC Check

Did the email pass or fail these checks? These three email authentication methods verify sender identity and are critical indicators in phishing investigations.

Sender Policy Framework (SPF) allows domain owners to specify which mail servers are authorized to send emails on their behalf. Attackers often fail SPF checks when spoofing legitimate domains from unauthorized servers.

Domain Keys Identified Mail (DKIM) is a digital signature from domain owners that allows them to sign all emails sent from their domain name. The DKIM "signature" is a digital signature that uses cryptography to mathematically verify that the email came from the domain.

Domain-based Message Authentication Reporting and Conformance (DMARC) instructs a receiving email server on what to do based on the results after checking SPF and DKIM. A domain's DMARC policy can be configured in a variety of ways. For example, it can instruct mail servers to quarantine emails that fail SPF or DKIM, to reject such emails, or to deliver them to the final destination.

Failed authentication checks often indicate spoofed sender addresses, compromised accounts, or emails originating from malicious infrastructure. However, some legitimate emails may fail due to forwarding or configuration issues, requiring additional context for accurate analysis.

There are different tools to check for SPF, DKIM, and DMARC records:

• MxToolbox
• Dmarcian
• DMARC Analyzer
• Kitterman SPF Checker
• DKIM Core
• OpenDMARC project – Open source tool

Domain and IP reputation check

Now, we need to query the sender's domain and originating IP address against multiple intelligence sources, such as:

• VirusTotal (URL and Search tabs): Aggregates data from a large number of security vendors.
• AbuseIPDB: Critical for checking if an IP has been reported for hacking attempts or other malicious activity.
• Cisco Talos Intelligence: Excellent reputation lookup. You can search by IP, domain name, URL or file hashes.
• IPVoid: Provide a range of IP tools to discover details about IP addresses.

WHOIS & domain history

By inspecting the phishing email sender domain name, we can gather critical intelligence:

• Domain ownership & registrant details – This includes registrant name, organization, email address, phone number, and mailing address. This information helps link a domain name to a specific person, organization, or threat actor.
• Registrar & registration data – Registrar name (e.g., GoDaddy, Namecheap) and reseller information if the domain was registered through a third-party provider.
• Important dates – Creation date can indicate if the domain is newly registered, which is common in phishing campaigns. Expiration date and last updated date may suggest recent changes such as ownership transfers or contact modifications.
• NS records – These reveal the DNS provider. Dynamic DNS services, free hosting providers, or obscure DNS services often indicate suspicious activity. NS records also enable pivoting to other domains using the same nameservers.
• Registrant's IP infrastructure – WHOIS records may contain IP ranges or ASN (Autonomous System Number) of the registrar or hosting provider.
• WHOIS privacy protection – While privacy services hide registrant details, the proxy provider information remains visible. Privacy protection on newly registered domains often signals suspicious intent.
• WHOIS history – Historical data reveals previous registrants, email addresses, organizations, and ownership changes that may indicate domain takeovers or cybersquatting.
• Technical indicators – Free webmail services used to register corporate domains and typosquatting patterns (recently registered domains mimicking legitimate brands) provide additional investigation leads.

Inspect subject line & content intent

The email subject line and content reveal "What is this email trying to make the user do, and how convincingly does it do it?". Focus on these key areas:

• Psychological manipulation – Does the sender use psychological triggers to convince the recipient to act immediately without thinking? Identify markers of urgency, fear, curiosity, or authority (e.g., "Urgent: Action Required on Your Account," "Invoice Overdue," "Your Package Delivery," "CEO Request", "Account deactivated soon").
• Brand impersonation – How does this email attempt to mimic a real company such as Microsoft, Google, or DHL? Examine logos, footer links, and sender name spoofing techniques.
• Language quality – Check for grammatical and spelling errors, many phishing campaigns are crafted by non-native speakers.
• Greeting analysis – Generic greetings like "Dear Customer" are red flags because attackers commonly send the same email to large recipient lists. However, personalized greetings using the recipient's real name could indicate a spear phishing attempt targeting specific individuals.

Inspect email body & URL analysis

The goal in this step is to know the actual destination of every URL included in the email body. It is worth noting that even the "Unsubscribe" link in the footer of the email should be inspected as well.
For each URL, hover over the text and see if the destination matches the linked text. We can also use free online services to reveal the actual destination, such as:

• Link Checker
• Redirect Detective
• CheckShortURL

Now, we need to perform dynamic URL analysis (Sandboxing), by clicking over the URL in a sandbox to see what it does: does it redirect? Does it download a file? Does it host a fake login page? We can use services such as: urlscan.io, Any.run and Joe Sandbox for this purpose. 

Inspect attachment & file hash analysis

The goal in this phase is to check whether this file is malicious and what it will do if we execute it. 

We should execute static and dynamic analysis on email attachments:

Static analysis

• Identify file type and extension. For example, invoice.pdf.exe is disguised as a PDF file while it is an executable file. We should consider checking the file signature, not just its extension. You can see a list of file signatures on GCK'S FILE SIGNATURES TABLE. There are free online services for checking file type based on its signature. Filext and Checkfiletype are examples.
• Generate the MD5, SHA-1, and SHA-256 hashes of the file. These are unique fingerprints for each file. Now, query the hashes against malware databases such as: VirusTotal and Hybrid Analysis.

Dynamic analysis

Execute the file in a controlled, isolated environment to observe its behavior. We are looking here for file system changes (files created/modified), registry edits, network connections (beacons to C2 servers), and processes spawned.

There are different tools to perform dynamic analysis; here are the most prominent ones:

• Joe Sandbox
• Cuckoo Sandbox
• Hybrid Analysis

Effective phishing email investigation requires a systematic approach combining technical analysis with behavioral assessment. By following this workflow—from initial preservation through sender verification, content analysis, and attachment examination—SOC analysts can accurately identify threats and understand attack methodologies. Remember to always conduct URL and attachment analysis in isolated environments. Mastering these investigation techniques strengthens organizational defenses against increasingly sophisticated email-based attacks.