Playbooks
T1566Phishing Triage
A step-by-step SOC playbook for triaging reported phishing emails — intake to decision in 15 minutes, with email header analysis, URL sandboxing, attachment scanning, detection queries, and clear escalation criteria.
View on Graph
What This Playbook Covers
- This playbook handles the most common SOC intake: a user reports a suspicious email via the phishing report button, a forwarded message to phish@company.com, or a ticket from the help desk.
- Goal: triage each submission and reach one of three dispositions within 15 minutes — (1) Benign: legitimate marketing, newsletter, or internal communication the user misidentified. (2) Phishing Simulation: company-run phishing test. Record that the user reported it correctly (or failed to report it). (3) Malicious: real phishing attack targeting the organization. Escalate.
- MITRE ATT&CK maps phishing to
T1566(Phishing) with sub-techniquesT1566.001(Spearphishing Attachment),T1566.002(Spearphishing Link), andT1566.003(Spearphishing via Service).
Phase 1: Intake and Quick Filter (0-5 minutes)
Email Metadata — Find the Headers
Extract the raw email headers (use OSINT Tools for automated header analysis). All the critical information is here:
| Header Field | What It Tells You | Suspicious Indicator |
|---|---|---|
| From | Display name and email address | Display name of executive, but email is external (e.g., ceo@ gmail.com) |
| Reply-To | Where replies actually go | Different from From address — attacker intercepts replies |
| Return-Path | Bounce address | Different from From — SPF failure is likely |
| Received chain | Mail server route | First Received from an unknown IP, or hop count doesn’t match |
| Message-ID | Unique email ID | Format or domain doesn’t match the claimed sender domain |
| DKIM-Signature | Cryptographic signature of the email | dkim=fail — email was tampered with or forged |
| SPF (via Received-SPF) | Authorization of sending server | spf=fail — sending server is not authorized for this domain |
| DMARC (via Authentication-Results) | Policy for SPF/DKIM failure | dmarc=fail — email failed both SPF and DKIM authentication |
The authentication fields map directly to SPF and DKIM — when these fail, the email is almost certainly forged.
SPL query — search for phishing emails sent to other users from same sender/domain:
index=email sourcetype=email_security
| search sender_address="*attacker-domain.com" OR from_domain="attacker-domain.com"
| stats count by sender_address, recipient_addresses, subject
| where count > 1
| eval alert = "HIGH — same sender sent phishing emails to " . mvjoin(recipient_addresses, ", ")
| table _time, sender_address, recipient_addresses, subject, count, alertQuick Checks
| Check | What to Look For | Benign | Phishing |
|---|---|---|---|
| SPF/DKIM/DMARC | Authentication status | All pass | One or more fail |
| Display name vs actual address | Mismatch | Match | HR Department <h4ck3r@evil.com> |
| Known phishing URL | URL reputation in VT/URLScan | Clean | Blocked, malicious, or suspicious |
| Attachment hash | File hash in VirusTotal | Clean or known-good | Detected as malware |
| Subject unusual | Urgency, threats, gifts | Normal business | ”Urgent password reset”, “Your account will be suspended”, “You won a gift card” |
Phase 2: URL and Attachment Analysis (5-10 minutes)
URL Analysis
Extract URLs from the email body:
# Extract all URLs from an email file
grep -oE 'https?://[A-Za-z0-9./?=_%:-]*' email.eml
# Look for obfuscated URLs
cat email.eml | grep -iE '(href|http|url|link|click|redirect)'Common obfuscation techniques to check for:
| Obfuscation | Example | How to Detect |
|---|---|---|
| Legitimate domain + subdomain | https://legitimate.com.security.evil.com/ | Check the real domain (rightmost part before TLD) |
| URL shortener | bit.ly/3xYzAbc | Expand with curl -I or unshorten tool |
| Homoglyph characters | g00gle.com (zero instead of O) | Visually inspect or use a homoglyph detector |
| Redirect on legitimate domain | https://legitimate.com/redirect?url=evil.com | Check the redirect parameter target |
| Base32/Base64 encoded URL | Encoded in the email body | Decode with base64/base32 utility and check the result |
| QR code phishing (QRishing) | QR in attached image | Extract and scan with QR reader in sandbox |
Attachment Analysis
| Attachment Type | Suspicious Indicator | Analysis Tool |
|---|---|---|
| Contains embedded URL or JavaScript | pdfinfo, pdfid.py, peepdf | |
| .docx / .xlsx | Contains macros | olevba, oledump |
| .html | Contains JavaScript redirect or credential form | View source, check for document.write(), window.location |
| .iso / .img | Disk image — often used to bypass email attachment filters | Mount in sandbox, check contents |
| .lnk | Shortcut to remote script | Check target path and arguments |
| .url | Link file pointing to malicious URL | Open with notepad — check URL value |
| .zip / .7z / .rar | Password-protected archive (password in email body) | Extremely suspicious — request password if urgent, otherwise detonate |
Phase 3: Threat Intelligence Checks (10-12 minutes)
Check the Sender Domain
# Check domain reputation
whois attacker-domain.com
dig attacker-domain.com mx
dig attacker-domain.com txt
# Check for recently registered domain
whois attacker-domain.com | grep -E "Creation Date"
# Domains registered < 30 days ago are highly suspiciousCheck URLs Against Threat Intelligence
| Service | What It Does | When to Use |
|---|---|---|
| VirusTotal URL | Scans URL against 70+ scanners | First check — fastest |
| URLScan.io | Takes a screenshot of the rendered page | Want to see what the victim would see |
| AbuseIPDB | Check IP reputation | Phishing site is hosted on an IP, not a domain |
| PhishTank | Community-vetted phishing URLs | Check if this URL is already reported |
| Google Safe Browsing | Real-time phishing URL blocking | Check with curl — https://safebrowsing.googleapis.com/... |
Phase 4: SIEM Correlation (12-15 minutes)
Check if Other Users Received the Same Email
SPL query — find other recipients of the same phishing email (run in Splunk):
index=email sourcetype=email_security
| search subject="*URGENT*Password*Reset*" OR subject="*Invoice*Overdue*" OR sender_address="*@evil-domain.com"
| stats count by subject, sender_address, sender_ip, recipients
| where count > 1
| eval alert = "MULTIPLE RECIPIENTS — " . count . " users received phishing email from " . sender_address . " with subject '" . subject . "'"
| table _time, sender_address, subject, count, recipients, alertCheck if Any Recipient Clicked the Link
SPL query — correlate email events with proxy/web events:
index=proxy sourcetype=access_combined
| search dest_domain="evil-domain.com" OR dest_ip="ATTACKER_IP"
| eval user = coalesce(username, client_ip)
| stats count, values(url) as URLs, values(dest_domain) as Domains by user
| table _time, user, count, URLs, DomainsPhase 5: Disposition and Escalation (15 minutes)
Decision Matrix
| Finding | Disposition | Action |
|---|---|---|
| SPF/DKIM/DMARC all pass. URL is legitimate. No attachment. | BENIGN | Close ticket. Notify user it was benign. |
| SPF/DKIM/DMARC all pass. Known company test platform URL. | SIMULATION | Record user behavior (reported = good). Close. |
| SPF fail. URL is malicious on VirusTotal. | MALICIOUS — PHISHING | Block sender domain at email gateway. Remove from all user inboxes. Begin incident response. |
| SPF pass (compromised legitimate account). URL redirects to credential harvester. | MALICIOUS — ACCOUNT TAKE OVER | Lock the compromised sender account. Remove forwarded email. Escalate. |
| Attachment detected as malware by VirusTotal. | MALICIOUS — MALWARE | Block file hash. Check for detonation on recipient’s endpoint. Escalate. |
| SPF fail. URLs uncheckable (sandboxed). No VT hits. | SUSPICIOUS — FURTHER INVESTIGATION | Deeper header analysis. Check if user clicked. Watch for 24-48 hours. |
Escalation Thresholds
| Signal | Escalate To | Timeline |
|---|---|---|
| Credential harvesting confirmed | SOC Lead | Immediate |
| Malware attachment detonated | Incident Response Team | Immediate |
| Account takeover confirmed | Incident Response + Identity Team | Immediate |
| Executive impersonated (CEO fraud) | Incident Response + Executive Protection | Immediate |
| BEC/financial fraud | Financial Fraud team + IC3 | Immediate + report |
| Single user, no click-through | SOC analyst — close | Same shift |
Common Phishing Triage Mistakes
| Mistake | Why It’s Dangerous |
|---|---|
| Trusting the display name | Attackers spoof display names. Always check the actual email address. |
| Clicking links from the SOC workstation | If the URL is malicious, clicking from corporate IP lands on adversary infrastructure. Always use a sandbox or VT. |
| Ignoring DMARC failures | Many SPF-pass but DKIM-fail emails look legitimate but are actually office.com or SharePoint-branded credential harvesters. |
| Not checking for forwarding rules | After account compromise, attackers often set up inbox rules to hide responses. Check Outlook rules / OWA redirects. |
| Only checking the first URL | Modern phishing emails often have multiple URLs — one legitimate (to pass filters), one malicious. |
| Trusting benign attachment types | .html attachments can contain credential harvesters. .iso containers bypass email AV scanning. |
Related
- Phishing — detection and response for T1566 techniques
- Business Email Compromise Response — detection and response for T1566, T1114, T1098, T1586 techniques
- Initial Access Response — detection and response for T1566, T1190, T1189, T1133 techniques
- Kill Chain — covers the kill chain concepts
- OSI Model — covers the osi model concepts