What You'll Learn
- Distinguish between spam, phishing, spear phishing, BEC, and legitimate email using observable indicators
- Apply the phishing classification framework to real-world email scenarios systematically
- Identify targeting indicators that differentiate mass phishing from spear phishing and BEC
- Document classification reasoning with supporting evidence for each decision
- Recognize how attackers tailor social engineering techniques to different attack categories
Lab Overview
| Detail | Value |
|---|---|
| Lab Type | Browser-Only |
| Tools Required | Browser |
| Estimated Time | 45–55 minutes |
| Difficulty | Intermediate |
| Pre-Requisites | Lessons PH.1–PH.3, Labs PH.1–PH.2 |
| Deliverable | Classification worksheet with verdicts and evidence chains for all 5 email scenarios |
Classification Is a Core SOC Skill. When a user reports a suspicious email, the first question isn't "is this bad?" — it's "what type of bad is this?" The classification determines the response: spam gets a block rule, phishing triggers a mailbox sweep, spear phishing escalates to threat intel, and BEC goes straight to incident response. Getting the classification wrong means executing the wrong playbook.
The Scenario
Your SOC team operates a shared phishing inbox (phishing@company.com) where employees forward suspicious emails. Today you have five emails in the queue. Your job is to classify each one, document your evidence, and recommend the appropriate response action. You have no access to the actual email infrastructure for this exercise — you must make your determination based solely on the observable details provided.
Classification Framework
Before analyzing the emails, review the classification categories:
| Category | Target | Personalization | Goal | Urgency Tactic |
|---|---|---|---|---|
| Spam | Mass / untargeted | None | Sell products, drive clicks | Low — "limited offer" |
| Phishing | Mass / untargeted | Minimal (generic greeting) | Steal credentials, install malware | Medium — "account suspended" |
| Spear Phishing | Specific individual or role | High (name, role, context) | Targeted credential theft or access | High — role-specific pretext |
| BEC | Finance/executive | Very high (mimics known person) | Financial fraud (wire transfer) | Very high — authority + deadline |
| Legitimate | Intended recipient | Appropriate | Normal business communication | Varies |
Email 1: The Streaming Offer
From: deals-today@streammax-offers.net
To: undisclosed-recipients:;
Subject: 🎬 Get Premium Streaming FREE for 12 Months! Act Now!
Date: Mon, 16 Feb 2026 03:22:41 +0000
Body:
Congratulations! You've been selected for our exclusive promotion.
Get 12 months of StreamMax Premium absolutely FREE!
Simply click below to activate your account:
[ACTIVATE NOW] → hxxp://streammax-deals[.]xyz/claim?ref=8827341
Offer expires in 24 hours! Don't miss out!
Unsubscribe: hxxp://streammax-deals[.]xyz/unsub
---
StreamMax Offers | 1247 Marketing Blvd, Suite 100 | This is an advertisement
Observable Indicators:
- Sent to "undisclosed-recipients" (BCC mass send)
- Generic greeting ("Congratulations!")
- Link domain (streammax-deals.xyz) doesn't match sender domain (streammax-offers.net)
- Urgency: "24 hours" expiration
- Has unsubscribe link and physical address (CAN-SPAM compliance attempt)
- Sent at 3:22 AM UTC
Your Analysis for Email 1
Document each indicator and your classification:
EMAIL 1 CLASSIFICATION WORKSHEET
─────────────────────────────────
Targeting: [Mass / Targeted / Unknown]
Personalization: [None / Low / High]
Sender Analysis: [Legitimate / Suspicious / Malicious]
Link Analysis: [Safe / Suspicious / Malicious]
Social Eng.: [None / Generic urgency / Role-specific / Authority-based]
VERDICT: [Spam / Phishing / Spear Phishing / BEC / Legitimate]
CONFIDENCE: [Low / Medium / High]
REASONING: [Your evidence chain — 2-3 sentences minimum]
RESPONSE: [Recommended action]
Email 2: The IT Password Reset
From: it-helpdesk@c0mpany-support.com
To: jsmith@company.com
Subject: [ACTION REQUIRED] Your password expires in 2 hours
Date: Tue, 17 Feb 2026 08:15:33 -0500
Body:
Dear Employee,
Your company network password will expire in 2 hours. To avoid
being locked out of your account, please reset your password
immediately using the secure link below:
[Reset Password Now] → hxxps://company-password-reset[.]com/verify?user=jsmith
If you did not request this change, please contact IT support.
Best regards,
IT Help Desk
Company Technology Services
Observable Indicators:
- Sender domain: c0mpany-support.com (note the zero replacing "o")
- Sent to a specific email but greeting is generic ("Dear Employee")
- Link domain doesn't match company domain
- Creates urgency: "2 hours" deadline
- The URL contains the target's username (jsmith)
- No phone number or internal ticketing reference
- Mimics internal IT communication style
Your Analysis for Email 2
EMAIL 2 CLASSIFICATION WORKSHEET
─────────────────────────────────
Targeting: [Mass / Targeted / Unknown]
Personalization: [None / Low / High]
Sender Analysis: [Legitimate / Suspicious / Malicious]
Link Analysis: [Safe / Suspicious / Malicious]
Social Eng.: [None / Generic urgency / Role-specific / Authority-based]
VERDICT: [Spam / Phishing / Spear Phishing / BEC / Legitimate]
CONFIDENCE: [Low / Medium / High]
REASONING: [Your evidence chain]
RESPONSE: [Recommended action]
Email 3: The CEO Wire Transfer
From: david.chen@company.com (via: d.chen.exec@gmail.com)
To: sarah.williams@company.com
Subject: Urgent — Confidential Wire Transfer
Date: Tue, 17 Feb 2026 14:47:22 -0500
Body:
Sarah,
I need you to process an urgent wire transfer today. I'm in back-to-back
meetings with the board and can't call, but this needs to go out before
close of business.
Vendor: Global Consulting Partners
Amount: $47,500.00
Account: [will provide when you confirm availability]
Reference: Project Falcon — Q1 Advance Payment
Please confirm you can handle this right away. Do NOT discuss with
anyone else — this is part of a confidential acquisition review.
Thanks,
David Chen
CEO
Sent from my iPhone
Observable Indicators:
- From line shows company.com but "via" shows gmail.com (external relay)
- Sent to Sarah Williams (specific person — likely finance/AP role)
- Uses CEO's actual name (David Chen)
- "Confidential" — discourages verification with others
- Urgency: "before close of business"
- Wire transfer request with deferred account details
- "Sent from my iPhone" — explains why not from corporate email
- No attachment or link — purely social engineering
Your Analysis for Email 3
EMAIL 3 CLASSIFICATION WORKSHEET
─────────────────────────────────
Targeting: [Mass / Targeted / Unknown]
Personalization: [None / Low / High]
Sender Analysis: [Legitimate / Suspicious / Malicious]
Link Analysis: [Safe / Suspicious / Malicious / N/A]
Social Eng.: [None / Generic urgency / Role-specific / Authority-based]
VERDICT: [Spam / Phishing / Spear Phishing / BEC / Legitimate]
CONFIDENCE: [Low / Medium / High]
REASONING: [Your evidence chain]
RESPONSE: [Recommended action]
BEC Is the Most Expensive Attack. The FBI's IC3 reported BEC losses exceeding $2.9 billion annually. These attacks work because they bypass all technical controls — no malware, no malicious links, no attachments. The weapon is pure social engineering: authority, urgency, and confidentiality. The only defense is process: out-of-band verification for all wire transfers.
Email 4: The Conference Invitation
From: registration@blackhat-usa.com
To: jsmith@company.com
Subject: Exclusive Speaker Invitation — BlackHat USA 2026
Date: Wed, 18 Feb 2026 10:30:00 -0800
Body:
Dear James,
Based on your recent publication "Advanced Threat Hunting with Wazuh"
and your role as Senior Security Analyst at [Company], we'd like to
invite you to present at BlackHat USA 2026.
Your proposed session: "Real-World SOC Automation: From Alert to
Response in Under 5 Minutes"
Please review the speaker agreement and confirm by February 28:
[Speaker Portal] → hxxps://blackhat-speakers[.]com/confirm/jsmith-2026
Travel and accommodation will be covered. Please submit your bio and
headshot through the portal.
Best regards,
Maria Torres
Speaker Relations Manager
Black Hat USA 2026 | Mandalay Bay, Las Vegas
Observable Indicators:
- Uses recipient's first name (James) and a real publication title
- References specific job title and company
- Sender domain: blackhat-usa.com (not the real blackhat.com)
- Link domain: blackhat-speakers.com (not associated with the real conference)
- Flattery-based social engineering (invitation to speak)
- Requests personal information (bio, headshot) through external portal
- Deadline creates mild urgency
Your Analysis for Email 4
EMAIL 4 CLASSIFICATION WORKSHEET
─────────────────────────────────
Targeting: [Mass / Targeted / Unknown]
Personalization: [None / Low / High]
Sender Analysis: [Legitimate / Suspicious / Malicious]
Link Analysis: [Safe / Suspicious / Malicious]
Social Eng.: [None / Generic urgency / Role-specific / Authority-based]
VERDICT: [Spam / Phishing / Spear Phishing / BEC / Legitimate]
CONFIDENCE: [Low / Medium / High]
REASONING: [Your evidence chain]
RESPONSE: [Recommended action]
Email 5: The Vendor Invoice
From: ap-notifications@quickbooks-online.intuit.com
To: jsmith@company.com
Subject: Invoice #QBO-29841 from TechSupply Corp
Date: Mon, 16 Feb 2026 09:00:15 -0500
Body:
Hi James,
TechSupply Corp sent you an invoice for $1,247.00
Invoice #QBO-29841
Due date: March 1, 2026
Amount due: $1,247.00
View and pay this invoice:
[Review Invoice] → hxxps://app.qbo.intuit.com/invoice/view/txn-29841
Questions about this invoice? Contact TechSupply Corp directly at
billing@techsupplycorp.com or (555) 234-5678.
Thanks,
QuickBooks Online
Intuit Inc. | 2632 Marine Way, Mountain View, CA 94043
You received this email because jsmith@company.com is registered
with QuickBooks Online. Manage your notifications at
hxxps://app.qbo.intuit.com/settings/notifications
Observable Indicators:
- Sender domain matches legitimate QuickBooks domain (intuit.com)
- Link points to app.qbo.intuit.com (legitimate QuickBooks subdomain)
- Contains specific invoice number, amount, and vendor name
- Includes vendor contact information for verification
- Has notification management link
- Physical address matches Intuit's headquarters
- Appropriate tone — no excessive urgency
Your Analysis for Email 5
EMAIL 5 CLASSIFICATION WORKSHEET
─────────────────────────────────
Targeting: [Mass / Targeted / Unknown]
Personalization: [None / Low / High]
Sender Analysis: [Legitimate / Suspicious / Malicious]
Link Analysis: [Safe / Suspicious / Malicious]
Social Eng.: [None / Generic urgency / Role-specific / Authority-based]
VERDICT: [Spam / Phishing / Spear Phishing / BEC / Legitimate]
CONFIDENCE: [Low / Medium / High]
REASONING: [Your evidence chain]
RESPONSE: [Recommended action]
Part 6: Compile Your Classification Report
Create a summary report comparing all five classifications:
PHISHING CLASSIFICATION REPORT
═══════════════════════════════
Analyst: [Your Name]
Date: [Today's Date]
Queue: phishing@company.com — 5 messages analyzed
SUMMARY TABLE
─────────────
# Subject Verdict Confidence Priority
1 Premium Streaming FREE [verdict] [H/M/L] [1-5]
2 Password expires in 2 hours [verdict] [H/M/L] [1-5]
3 Confidential Wire Transfer [verdict] [H/M/L] [1-5]
4 BlackHat Speaker Invitation [verdict] [H/M/L] [1-5]
5 Invoice from TechSupply Corp [verdict] [H/M/L] [1-5]
RESPONSE ACTIONS
────────────────
Email 1: [Block sender domain / Report to abuse / No action needed]
Email 2: [Block domain + mailbox sweep + user notification]
Email 3: [Immediate IR escalation + verify with CEO via phone]
Email 4: [Block domain + notify targeted user + share with threat intel]
Email 5: [Close report / Verify with finance / Other]
LESSONS LEARNED
───────────────
- Hardest to classify: Email [#] because [reason]
- Most dangerous: Email [#] because [reason]
- Key differentiator between phishing and spear phishing: [your observation]
Deliverable Checklist
Before completing the lab, ensure you have:
- All 5 Classification Worksheets — Each email analyzed with every field completed
- Evidence Chains — At least 3 supporting indicators cited per classification
- Verdict Confidence — Justified reasoning for each confidence level
- Response Actions — Appropriate SOC action recommended for each email type
- Summary Report — Comparison table with priority ranking and lessons learned
Key Takeaways
- Classification determines response — spam gets a filter rule, BEC triggers incident response with executive notification
- Personalization level is the strongest differentiator between mass phishing and spear phishing
- BEC attacks are the most dangerous because they contain no technical indicators — no links, no malware, no attachments
- Legitimate emails share many characteristics with phishing (urgency, links, invoices) — analysts must evaluate the totality of indicators
- Document your reasoning even when confident — classification decisions may be reviewed or audited later
What's Next
In Lab PH.4 — Artifact Extraction & IOC Analysis, you'll move from classification to investigation. You'll extract URLs, IP addresses, file hashes, and domains from phishing emails and analyze them using threat intelligence platforms like VirusTotal, URLScan.io, and AbuseIPDB.
Lab Challenge: Classify the Phish
10 questions · 70% to pass
Email 1 (Streaming Offer) is sent to 'undisclosed-recipients' with a generic greeting and an unsubscribe link. What is the correct classification?
Email 2 uses the domain 'c0mpany-support.com' (with a zero). What technique is this an example of?
Email 3 (CEO Wire Transfer) contains no links, no attachments, and no malware. Why is it still the most dangerous email in the queue?
What is the correct classification for Email 3 (CEO Wire Transfer)?
Email 4 (BlackHat Speaker Invitation) references the recipient's real publication and job title. What classification best fits?
What is the most likely classification for Email 5 (QuickBooks Invoice)?
Which email in the queue should receive the HIGHEST priority response from the SOC team, and why?
What is the primary indicator that differentiates spear phishing from regular phishing?
In Email 3, the attacker says 'Do NOT discuss with anyone else.' What social engineering principle does this exploit?
After classifying all 5 emails, what is the correct response for Email 2 (phishing password reset)?
0/10 answered