Artifact Extraction & Analysis

From Email to Evidence

In Lessons PH-1 through PH-3, you learned to identify phishing emails, read their headers, and verify authentication results. That analysis tells you whether an email is malicious. This lesson answers the next question: what exactly is the threat, and how do we weaponize that knowledge defensively?

Artifact extraction is the process of pulling every Indicator of Compromise (IOC) from a phishing email and analyzing each one to understand the attack's infrastructure, intent, and scope. A single phishing email can yield dozens of IOCs — sender addresses, reply-to addresses, originating IPs, URLs, domain names, attachment hashes, embedded scripts, and more.

The goal is not just to confirm "this is phishing." The goal is to build a complete picture: who is attacking, what infrastructure they are using, how the payload works, and what you need to block across your environment to protect every user — not just the one who reported it.

Click to enlarge

Extracting Sender Artifacts

Start with the envelope and header fields you already know from Lesson PH-3:

From: "IT Support Team" <helpdesk@company-secure.com>
Return-Path: <attacker@evil-domain.xyz>
Reply-To: <credential-harvest@protonmail.com>
Received: from mail.evil-domain.xyz (198.51.100.42)
Message-ID: <abc123@evil-domain.xyz>

From this single header block, you extract five IOCs: the spoofed From domain (company-secure.com), the real sender domain (evil-domain.xyz), the reply-to address (credential-harvest@protonmail.com), the originating IP (198.51.100.42), and the Message-ID domain confirming the true origin.

Extracting and Defanging URLs

Phishing emails almost always contain URLs — either in the body text, HTML hyperlinks, or disguised behind buttons. Extracting them requires examining both the visible text and the underlying HTML source.

Finding URLs in HTML Source

The visible text of a link and its actual destination are often different:

<a href="https://evil-domain.xyz/harvest?id=victim123">
  https://company.com/secure-login
</a>

The user sees https://company.com/secure-login. The actual destination is https://evil-domain.xyz/harvest?id=victim123. Always extract from the href attribute, not the display text.

Defanging Conventions

Before writing URLs or IPs in reports, tickets, chat messages, or IOC lists, defang them to prevent accidental clicks or auto-linking:

CyberChef has a built-in Defang URL operation that handles this automatically. In Lab PH-4, you will use it extensively.

Hashing Attachments

When a phishing email contains an attachment — a Word document, PDF, Excel file, ZIP archive, or executable — the first step is generating cryptographic hashes without opening the file.

# Generate MD5 and SHA256 hashes
md5sum suspicious_invoice.docx
sha256sum suspicious_invoice.docx

# On macOS
md5 suspicious_invoice.docx
shasum -a 256 suspicious_invoice.docx

Why Both Hashes?

MD5 is faster to compute and more widely indexed in legacy threat intelligence databases. SHA256 is cryptographically stronger and the standard for modern IOC sharing (STIX/TAXII, MISP). Always generate both.

Analyzing URLs: URLScan.io and VirusTotal

Once you have extracted and defanged URLs, analyze them using free tools before anyone clicks them.

URLScan.io

URLScan.io visits the URL in a sandboxed browser and captures:

• Screenshot of the rendered page (see the phishing page without visiting it)
• DOM content — the full HTML source of the destination page
• Network requests — every resource loaded (scripts, images, redirects)
• Redirect chain — the full path from initial URL to final destination
• IP and hosting information — where the page is hosted
• Verdict — community and automated classification

Submit the URL (re-fang it for the search, or use URLScan's API) and examine the results. A credential harvesting page will typically show a login form mimicking a known brand, hosted on a recently registered domain or compromised site.

VirusTotal URL Scan

VirusTotal aggregates results from 70+ security vendors. For URL analysis:

• Paste the URL into the URL tab (not the file tab)
• Review the detection ratio (e.g., 12/87 vendors flagged it as malicious)
• Check the Community tab for analyst comments
• Examine Relations — other URLs hosted on the same IP, associated files, redirects

Analyzing Attachments: VirusTotal and Hybrid Analysis

VirusTotal File Analysis

Upload the file hash (not the file itself, to avoid sharing sensitive data) to VirusTotal:

• Detection tab: How many AV engines detect it as malicious
• Behavior tab: If the file has been detonated in VT's sandbox, you see process creation, file drops, network connections, and registry changes
• Relations tab: Other files dropped, contacted domains, similar samples
• Community tab: Analyst notes and YARA rule matches

Hybrid Analysis

Hybrid Analysis (hybrid-analysis.com) by CrowdStrike provides deeper behavioral analysis:

• Submit the file for sandbox detonation (Windows 7/10, Linux)
• View process trees, network connections, DNS queries, and file system changes
• See extracted strings, embedded URLs, and dropped payloads
• Review MITRE ATT&CK technique mapping for observed behaviors

Using CyberChef for Decoding

CyberChef (gchq.github.io/CyberChef) is the analyst's Swiss Army knife. Phishing emails frequently use encoding to evade detection, and CyberChef can decode virtually anything.

Common Decoding Operations

Base64 Decode: Attackers encode payloads, URLs, or entire scripts in Base64 to bypass email gateways.

Input:  aHR0cHM6Ly9ldmlsLWRvbWFpbi54eXovY3JlZC1oYXJ2ZXN0P3VzZXI9dGFyZ2V0
Recipe: From Base64
Output: https://evil-domain.xyz/cred-harvest?user=target

URL Decode: Percent-encoded URLs hide the true destination.

Input:  https%3A%2F%2Fevil-domain.xyz%2Fpayload%3Fid%3D12345
Recipe: URL Decode
Output: https://evil-domain.xyz/payload?id=12345

Extract URLs from HTML: When you have raw HTML source from an email, CyberChef's "Extract URLs" operation pulls every URL from href attributes, script sources, and embedded content.

Recipe: Extract URLs → Defang URL → Sort → Unique

This four-step recipe takes raw HTML and produces a clean, defanged, deduplicated URL list ready for your IOC table.

Building the IOC Table

Every phishing investigation should produce a structured IOC table. This table becomes the input for blocking rules, SIEM detections, and threat intelligence sharing.

OSINT Enrichment of Extracted IOCs

Raw IOCs are useful for blocking. Enriched IOCs tell you the story of the attack — who is behind it, how long the infrastructure has been active, and what other campaigns use the same resources.

Click to enlarge

Domain Enrichment

A domain registered 48 hours ago hosting a "Microsoft 365 login page" on a bulletproof hosting provider is almost certainly malicious.

IP Enrichment

File Hash Enrichment

Putting It All Together: The Extraction Workflow

Here is the systematic workflow you will follow in Lab PH-4:

1. Save the raw email — download the .eml file or copy the full source
2. Extract sender artifacts — From, Return-Path, Reply-To, originating IP, Message-ID domain
3. Extract URLs — both visible text and href destinations; use CyberChef "Extract URLs" on HTML source
4. Defang everything — all URLs, IPs, and email addresses in your working notes
5. Hash attachments — MD5 and SHA256 without opening the file
6. Analyze URLs — submit to URLScan.io and VirusTotal
7. Analyze attachments — submit hash to VirusTotal, detonate in Hybrid Analysis if needed
8. Decode obfuscated content — use CyberChef for Base64, URL encoding, HTML entities
9. Build the IOC table — structured, defanged, with source and context columns
10. Enrich IOCs — WHOIS, PassiveDNS, AbuseIPDB, GreyNoise for each indicator
11. Document findings — feed the IOC table into your investigation report

Key Takeaways

• A single phishing email can yield dozens of IOCs: sender addresses, domains, IPs, URLs, file hashes, and embedded objects
• Always defang URLs, IPs, and email addresses before sharing — this is a professional standard, not optional
• Generate both MD5 and SHA256 hashes for attachments — MD5 for legacy lookups, SHA256 for modern IOC sharing
• Use URLScan.io for visual and network analysis of URLs, and VirusTotal for vendor consensus and historical associations
• CyberChef is essential for decoding Base64, URL-encoded strings, and extracting URLs from raw HTML source
• Build a structured IOC table with type, value, source, and context columns — this feeds blocking rules and SIEM detections
• OSINT enrichment transforms raw IOCs into campaign intelligence: WHOIS, PassiveDNS, AbuseIPDB, and sandbox analysis reveal the attacker's infrastructure and scope

What's Next

You now know how to tear apart a phishing email and extract every artifact it contains. In Lesson PH-5: Defensive Measures & Response, you will learn what to do with those artifacts — how to block them across your email gateway, firewall, and SIEM, how to check whether anyone else in your organization clicked the link or submitted credentials, and how to build a phishing response process that scales. In Lab PH-4, you will put this lesson into practice by extracting artifacts from a realistic phishing email, analyzing each IOC, and building a complete IOC table.