Types

• Recon
  • Undeliverable
  • Response
  • Tracking pixel
• Spam
• Credential harvester
  • Social engineering
  • Web link
• Malicious files
  • Attachments
    • Malicious file
    • Malicious link
  • Hosted
    • Malicious domain
    • Compromised domain
• Business email compromise
  • Fake invoice
  • Fake bank details
  • CEO impersonation for money transfer
  • Zombie phishing old email threads

Artifacts

• Subject line
• Date and time
• Recipients (To)
• Sending email address (From)
  • Sending server IP (X-Sender-IP)
    • Reverse DNS
      • Does it match claimed sending email, or spoofed?
  • Reply-to email address
    • Has anyone replied? Check email gateway
• URLs (sanitised)
  • Expanded, if shortened
  • Typosquatting?
  • How long ago was the domain registered?
    • Malicious or hijacked domain? Check root
  • Have they been clicked? Check SIEM/EDR etc
• File name
  • File hash
• Body content summary
  • Message
    • Social engineering tactics used
  • Styling

Response

What to block?

• Email artefact
• Web artefact
• File artefact