How to Investigate a Phishing Email: A Step-by-Step Guide for SOC Analysts
Why Phishing Investigation Matters
Phishing remains the number one initial access vector for cyberattacks. According to industry reports, 91% of cyberattacks begin with a phishing email. Yet most security teams still rely on ad-hoc investigation methods β checking a few headers here, running a URL through VirusTotal there, and hoping they catch everything.
The cost of getting it wrong is significant. Business Email Compromise (BEC) attacks alone cost organisations an average of $2.73 million per incident in 2024. And the gap between detecting a phishing email and properly investigating it is where most organisations fail.
The 10-Phase Investigation Workflow
A structured phishing investigation follows a logical sequence. Each phase builds on the findings of the previous one, ensuring nothing is missed.
Phase 1: Initial Triage & Classification
Before diving into technical analysis, you need to assess the basics. When was the email received? Who reported it? Has anyone clicked on links or opened attachments? This initial triage determines your investigation priority and scope.
Key questions to answer:
- When was the email received and reported?
- How many recipients received the same email?
- Has anyone interacted with the email (clicked links, opened attachments, replied)?
- What is the claimed sender and subject?
Phase 2: Email Header Analysis
Email headers are the forensic backbone of any phishing investigation. They reveal the true origin of an email, the path it took to reach the recipient, and whether the sender is who they claim to be.
The critical rule: Always read the Received headers from bottom to top. The bottom-most Received header was added by the first server to handle the email β this is closest to the actual sender.
Key headers to examine:
- From vs Return-Path vs Reply-To β Do they match? Mismatches are a strong indicator of spoofing or redirection.
- Message-ID domain β Does it match the From domain? Legitimate emails generate Message-IDs on the sending domain.
- X-Originating-IP β The IP address of the original sender, if present.
Phase 3: Authentication Verification (SPF, DKIM, DMARC)
Email authentication is your first line of defence against spoofing. Understanding SPF, DKIM, and DMARC results tells you whether the sending server was authorised to send on behalf of the claimed domain.
SPF (Sender Policy Framework) checks whether the sending IP is listed in the domain's DNS SPF record. A pass means the IP is authorised; a fail means it is not.
DKIM (DomainKeys Identified Mail) verifies a cryptographic signature in the email header. A pass means the email content has not been tampered with since it left the signing server.
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with a policy. It checks alignment β whether the domain in the From header matches the domains verified by SPF and DKIM.
Phase 4: URL & Link Analysis
Phishing emails almost always contain malicious URLs. The challenge is that attackers use multiple layers of obfuscation to hide the true destination.
Safe analysis techniques:
- Never click links directly. Extract URLs from the email source.
- Decode URL encoding β Convert %xx sequences to readable characters.
- Expand shortened URLs β Use tools like URLScan.io to safely preview the destination.
- Check reputation β Run URLs through VirusTotal, Google Safe Browsing, and PhishTank.
- Sandbox the URL β Use Any.Run or Hybrid Analysis to safely visit the page in a controlled environment.
Phase 5: Attachment Analysis
File attachments are the second most common payload delivery mechanism in phishing attacks. Different file types carry different risk levels.
High-risk file types: .exe, .scr, .bat, .cmd, .ps1, .vbs, .js, .wsf, .hta Medium-risk file types: .docm, .xlsm, .pptm (macro-enabled Office files), .pdf, .zip, .rar Lower-risk file types: .docx, .xlsx, .pptx (without macros), .txt, .csv
Analysis steps:
- Check the file hash against VirusTotal and other threat intelligence platforms.
- Inspect the file name β Look for double extensions (e.g., invoice.pdf.exe) or Unicode tricks.
- Sandbox the file β Upload to Any.Run or Hybrid Analysis for dynamic analysis.
Phases 6β10: Completing the Investigation
The remaining phases cover sender reputation assessment (domain age, WHOIS data, blacklist checks), content and social engineering analysis (identifying manipulation techniques), IOC extraction (documenting all Indicators of Compromise), verdict and escalation (risk scoring and containment decisions), and post-investigation actions (lessons learned and detection rule creation).
Tools You Need (All Free)
One of the most common barriers to structured phishing investigation is the assumption that you need expensive tools. You don't. Every tool referenced in a professional investigation workflow is freely available:
| Tool | Purpose | URL |
|---|---|---|
| VirusTotal | File/URL/IP reputation | virustotal.com |
| MXToolbox | Email header analysis, DNS lookups | mxtoolbox.com |
| URLScan.io | Safe URL preview and analysis | urlscan.io |
| Any.Run | Interactive malware sandbox | any.run |
| AbuseIPDB | IP reputation database | abuseipdb.com |
| Talos Intelligence | IP/domain reputation | talosintelligence.com |
| PhishTank | Phishing URL database | phishtank.org |
| Google Safe Browsing | URL safety check | safebrowsing.google.com |
| Shodan | Internet-connected device search | shodan.io |
| Have I Been Pwned | Breach data lookup | haveibeenpwned.com |
Building Your Investigation Documentation
Every investigation should produce a documented trail. This serves three purposes:
- Evidence for escalation β When you need to brief management or legal, you have a structured evidence package.
- Pattern recognition β Over time, your investigation logs reveal attack patterns and repeat offenders.
- Compliance β Many frameworks (ISO 27001, NIST CSF, SOC 2) require documented incident investigation procedures.
A well-structured investigation log tracks the email metadata, authentication results, URL analysis findings, attachment analysis results, IOC list, risk score, and final verdict β all in one place.
Getting Started
Whether you're a junior SOC analyst handling your first phishing alert or a seasoned security professional looking to standardise your team's process, having a structured investigation workflow transforms ad-hoc responses into professional, repeatable investigations.
The key is consistency. Every phishing email gets the same structured treatment. Every investigation produces the same documentation. Every verdict is backed by evidence.
The Phishing Investigation Toolkit [blocked] from Cyber121 provides the complete 10-phase workflow as a 52-page playbook, a 5-sheet Excel investigation log with auto-calculated risk scores, and a printable quick reference card. Download the free cheat sheet [blocked] to get started.
The Cyber121 team creates practical cybersecurity resources for professionals.