Types
- Recon
- Undeliverable
- Response
- Tracking pixel
- Spam
- Credential harvester
- Social engineering
- Web link
- Malicious files
- Attachments
- Malicious file
- Malicious link
- Hosted
- Malicious domain
- Compromised domain
- Business email compromise
- Fake invoice
- Fake bank details
- CEO impersonation for money transfer
- Zombie phishing old email threads
Artifacts
- Subject line
- Date and time
- Recipients (To)
- Sending email address (From)
- Sending server IP (X-Sender-IP)
- Reverse DNS
- Does it match claimed sending email, or spoofed?
- Reply-to email address
- Has anyone replied? Check email gateway
- URLs (sanitised)
- Expanded, if shortened
- Typosquatting?
- How long ago was the domain registered?
- Malicious or hijacked domain? Check root
- Have they been clicked? Check SIEM/EDR etc
- File name
- Body content summary
- Message
- Social engineering tactics used
- Styling
Response
What to block?
- Email artefact
- Web artefact
- File artefact