Module 5: Phishing Analysis & Email Security
The #1 attack vector. Learn to dissect it.
You'll trace the initial phishing email that compromised sarah.jones@cyberblue.local on WS-HR-01.
Lessons & Labs
Lesson 5.1 — Email Anatomy & Header Analysis
Email structure, headers, envelope vs content, received chains, X-headers
Lab PH.1 — Email Header Dissection
Analyze raw email headers using MXToolbox Header Analyzer — trace Received chains, evaluate SPF/DKIM/DMARC results, identify originating IPs, and detect spoofing indicators across two email samples.
Lesson 5.2 — SPF, DKIM & DMARC Authentication
How email authentication works, reading authentication results, identifying spoofing
Lab PH.2 — Email Authentication Check
Query and interpret SPF, DKIM, and DMARC DNS records using MXToolbox — compare authentication postures across domains and evaluate five real-world email authentication scenarios.
Lesson 5.3 — Phishing Types, Tactics & Techniques
Credential harvesters, drive-by downloads, BEC, spear phishing, typosquatting, homographs
Lab PH.3 — Classify the Phish
Analyze five email scenarios and classify each as spam, phishing, spear phishing, BEC, or legitimate — documenting evidence chains and recommended SOC response actions for each.
Lesson 5.4 — Artifact Extraction & Analysis
Extracting sender, URLs, attachments, hashes; analyzing with VirusTotal, URLScan, AbuseIPDB, CyberChef
Lab PH.4 — Artifact Extraction & IOC Analysis
Extract IOCs from a phishing campaign and analyze them using VirusTotal, URLScan.io, and AbuseIPDB — build a blocklist-ready intelligence report with 13 indicators across 6 IOC types.
Lesson 5.5 — Defensive Measures & Response
Blocking artefacts, email security controls, immediate response process, reporting
Lab PH.5 — Phishing Response
Investigate a phishing incident end-to-end in Wazuh — trace from email gateway delivery through Sysmon process chain, C2 callback, proxy/DNS correlation, and lateral movement across 12 agents with ~1,200 pre-loaded alerts.
Lesson 5.6 — Phishing Investigation Report Writing
Structured phishing report: header analysis, artifacts, verdict, defensive actions, lessons learned
Lab PH.6 — Write the Phishing Report
Write a formal phishing incident report using a professional template — compile findings from all previous labs into an executive summary, timeline, IOC appendix, and lessons learned document.