⭐ Day 20 – Email Security & Phishing Detection (Core SOC Skill)
Phishing is the #1 attack vector in the world.
More than 90% of breaches start with phishing emails.
Today your students learn:
✔ How phishing works
✔ How to analyze suspicious emails
✔ What SOC should check in email logs
✔ How to detect malicious URLs
✔ How to investigate attachments
✔ MITRE mapping
🧠 1. What Is Phishing? (Easy Explanation)
Phishing = attacker sends fake emails to trick users into:
- Clicking malicious links
- Downloading malware
- Entering passwords
- Giving access
Simple examples:
- Fake Office 365 login
- Fake bank message
- Fake invoice
- Fake PDF attachments
📨 2. Types of Phishing Attacks
✔ 1. Regular Phishing
Mass emails → “Reset your password”, “Delivery failed”, etc.
✔ 2. Spear-Phishing
Targeted to one person (CEO, HR, Finance).
✔ 3. Whaling
Targeting top executives.
✔ 4. Clone Phishing
Copying real emails and replacing the link.
✔ 5. Business Email Compromise (BEC)
Attacker pretends to be CEO/manager and asks for money transfer.
🔍 3. Email Components SOC Analysts Must Check
1️⃣ From Address
Is it spoofed? e.g.support@microsofft.com
2️⃣ Display Name vs Real Email
“Microsoft Support” random@gmail.com
3️⃣ Subject Line
Urgency, fear, “action required”.
4️⃣ Links Inside Email (Very Important)
Hover link →
- Fake domain
- Similar domain
- Redirect link
5️⃣ Attachments
Examples:
- invoice.pdf.exe
- payment.docm (with macros)
- resume.xlsm
6️⃣ Headers (Advanced)
Check:
- Return-Path
- SPF pass/fail
- DKIM signature
- DMARC results
🔥 4. Phishing Detection in Splunk (Very Easy)
Email logs from O365, Google Workspace, Exchange, Proofpoint, Mimecast etc.
Search for suspicious links
index=email "http" OR "https"
Search for blocked/malicious URLs
index=email verdict=malicious
Search for suspicious attachments
index=email attachment="*.exe" OR "*.js" OR "*.vbs" OR "*.scr"
Search for failed SPF/DKIM
index=email spf=fail OR dkim=fail OR dmarc=fail
Search for external → internal attacker
index=email sender_domain!=company.com
🧩 5. MITRE Mapping for Phishing
| MITRE Technique | Description |
|---|---|
| T1566 | Phishing |
| T1566.001 | Spear-phishing (Attachment) |
| T1566.002 | Spear-phishing (Link) |
| T1204 | User Execution |
| T1059 | Malware execution after attachment download |
🧪 6. Day 20 Hands-On Tasks
Task 1 – Identify phishing email subjects
index=email subject="*"
| search ("login" OR "verify" OR "password" OR "urgent")
Task 2 – Detect fake sender address
index=email sender_domain!="company.com"
Task 3 – Detect malicious attachments
index=email attachment="*.zip" OR "*.exe" OR "*.js"
Task 4 – Detect failed SPF/DKIM
index=email spf=fail OR dkim=fail OR dmarc=fail
Task 5 – Analyze a real suspicious URL
Students must:
- Copy URL
- Check with VirusTotal
- Check with URLScan
- Check the domain age (whois)
🎤 Trainer Script
Say this during class:
“Phishing is the biggest threat for any company.
If SOC detects phishing early, you prevent ransomware, malware, and credential theft.
Email security is your first line of defense.”
📝 Homework (Day 20)
Students must submit:
- One suspicious email subject
- One suspicious sender address
- One suspicious URL
- A Splunk search detecting phishing
- MITRE mapping
"Share Knowledge" 
Leave a comment