Description

Identifying phishing email campaigns that are occurring in an organization is unique in that many filters applied in email security gateways can be successfully implemented to dramatically reduce the number of phishing emails that users receive. Many of these solutions create phishing alerts which can provide raw email content for analysis.

However, phishing emails can evade these filtering solutions and are delivered successfully. Many organizations utilize a dedicated mailbox that users can report suspected phishing emails to by forwarding the email as an attachment analysis.

Techniques

Examples

Receive and analyze emails with rules in Sublime Security | Library | Tines

Analyze and triage suspicious emails with various tools | Library | Tines

Triage email attachments with Material Security | Story library | Tines

References

Phishing investigation

IRP-Phishing · main · Public Incident Response Ressources / Public Playbooks · GitLab