Phishing Investigation Report Writing

Why Reports Matter More Than You Think

You triaged the phishing email. You analyzed the headers. You extracted every artifact. You blocked the IOCs, scoped the campaign, checked for credential compromise, and contained the threat. The investigation is done — right?

Wrong. Without a written report, your investigation might as well not have happened. Here is why:

Documentation: Six months from now, when the same attacker infrastructure resurfaces, no one will remember the details of today's investigation. A written report preserves the full analysis — IOCs, evidence, decisions, and actions taken — as a searchable, permanent record.

Knowledge transfer: You will not always be the analyst on shift. When a colleague handles the next report from the same campaign, your documentation tells them exactly what was already investigated, what was blocked, and what to look for.

Legal and compliance: If the phishing attack leads to a data breach, regulatory investigation, or legal proceedings, your report becomes evidence. "I analyzed it and it looked bad" does not hold up. A structured report with timestamps, evidence, and clear reasoning does.

Metrics and improvement: Reports feed your phishing program metrics. How many phishing incidents per month? What percentage led to credential compromise? What was the average response time? Without structured reports, these questions are unanswerable.

The Phishing Report Template

Every phishing investigation report should follow a consistent structure. Consistency means any analyst can read any report and find the information they need in the expected location.

Click to enlarge

1. Executive Summary

The executive summary is the most important section. It is read by managers, legal, compliance, and executives who will not read the full report. It must answer five questions in 3-5 sentences:

• What happened? (A phishing email targeting X was reported by Y)
• Who was affected? (N users received it; M interacted)
• What was the impact? (Credentials compromised / no compromise confirmed)
• What was done? (IOCs blocked, passwords reset, emails purged)
• What is the current status? (Contained / monitoring / escalated)

EXECUTIVE SUMMARY

On 2026-02-20 at 14:32 UTC, a phishing email impersonating the IT Help Desk
was reported by [User Name] in the Finance department. The email directed users
to a credential harvesting page mimicking the Microsoft 365 login portal. Campaign
scoping identified 47 recipients across three departments. Proxy log analysis
confirmed 3 users submitted credentials. All compromised accounts underwent
immediate password resets and session revocation. Malicious infrastructure was
blocked across email gateway, DNS, and web proxy. No evidence of post-compromise
lateral movement was identified. Status: CONTAINED — enhanced monitoring active
for 72 hours.

2. Email Details

Present the raw facts of the reported email:

3. Header Analysis

Summarize your header analysis findings. Do not paste the entire header block — extract the relevant portions:

HEADER ANALYSIS

Originating IP: 198[.]51[.]100[.]42 (Received: from mail.evil-domain[.]xyz)
Message-ID Domain: evil-domain[.]xyz (confirms true sending infrastructure)
X-Mailer: PHPMailer 6.8.0 (mass-mailing tool, not corporate email client)
Hop Count: 3 hops (originator → relay → company gateway)
Time Consistency: All timestamps sequential with < 2 second variance (no anomalies)

4. Authentication Results

Document SPF, DKIM, and DMARC results with clear pass/fail verdicts:

5. Artifact Analysis

Present your analysis of each extracted artifact. This section shows your work — the evidence that supports your verdict.

URL Analysis:

Attachment Analysis (if applicable):

6. IOC Table

Present all extracted and enriched IOCs in a single structured table:

7. Verdict and Confidence Level

State your verdict clearly with a confidence level:

VERDICT: MALICIOUS — Credential Harvesting Phishing Campaign

Confidence: HIGH

Basis:
- Authentication failure (SPF FAIL, no DKIM, DMARC FAIL)
- Domain registered 48 hours before campaign launch
- URL destination is a pixel-perfect Microsoft 365 login clone
- 14/87 VirusTotal vendors confirm phishing classification
- Originating IP has 142 abuse reports on AbuseIPDB
- PHPMailer indicates mass-mailing tool, not legitimate corporate email

8. Defensive Actions Taken

Document every containment and remediation action with timestamps:

9. Recommendations

Provide actionable recommendations that go beyond this incident:

1. Upgrade DMARC policy from p=none to p=quarantine for company[.]com — this would have quarantined the spoofed email at the gateway
2. Enable URL rewriting (SafeLinks) for all users — time-of-click protection would catch deferred phishing attacks
3. Deploy phishing simulation targeting Finance, HR, and Executive departments — these departments were specifically targeted in this campaign
4. Implement conditional access policies requiring MFA from non-corporate IP ranges — limits credential abuse even if credentials are harvested
5. Add PHPMailer X-Mailer header to email gateway detection rules — legitimate corporate email does not originate from PHPMailer

10. Lessons Learned

Reflect on what worked, what did not, and what should change:

LESSONS LEARNED

What worked well:
- User reported the email within 8 minutes of delivery (below 15-minute target)
- Artifact extraction and IOC blocking completed within 43 minutes (below 60-minute target)
- Wazuh rules for campaign IOCs deployed within 1 hour

What needs improvement:
- DMARC policy at p=none allowed the spoofed email through — upgrade timeline needed
- No URL rewriting in place — users who clicked reached the live harvesting page
- 3 of 47 recipients submitted credentials — simulation training needed for targeted departments

Process changes:
- Add DMARC enforcement check to quarterly security review
- Fast-track URL rewriting deployment (SafeLinks) — target completion: 2026-03-15
- Schedule targeted phishing simulation for Finance/HR/Executive — Q2 2026

Writing Effective Executive Summaries

The executive summary deserves extra attention because it is the only section most stakeholders will read. Follow these rules:

Evidence Presentation Best Practices

Your report's credibility depends on how you present evidence:

• Always defang IOCs — even in internal reports, ticketing systems auto-link URLs
• Include screenshots — a screenshot of the URLScan.io result is more compelling than a text description
• Timestamp everything — every finding, every action, in UTC
• Quote exact header values — do not paraphrase; copy the relevant header lines verbatim
• Use tables for structured data — IOC tables, authentication results, and action logs are easier to scan as tables than paragraphs
• Reference your sources — "VirusTotal (14/87 detections as of 2026-02-20 15:00 UTC)" is verifiable; "VirusTotal flagged it" is not

Common Report Mistakes

Click to enlarge

Sample Report Walkthrough

Let us walk through a condensed version of a complete phishing investigation report using a realistic scenario:

Scenario: On 2026-02-20, a Finance department employee received an email with the subject "ACTION REQUIRED: Wire Transfer Approval" from what appeared to be the CFO. The email contained a link to an "approval portal."

Executive Summary: A business email compromise (BEC) attempt targeting the Finance department was reported on 2026-02-20. The email spoofed the CFO's display name and directed the recipient to a credential harvesting page. Scoping identified 12 recipients in Finance and Accounting. One user clicked the link but did not submit credentials (confirmed via proxy logs). All IOCs were blocked within 38 minutes. No credential compromise or financial impact occurred. Status: CONTAINED.

Key Analysis Findings:

• From header showed CFO's name but envelope sender was cfo-approvals@finance-portal[.]xyz
• Domain finance-portal[.]xyz registered 24 hours before the attack
• SPF FAIL (sending IP not authorized for the spoofed domain)
• URL led to a fake "wire transfer approval" form requesting login credentials and a one-time approval code
• VirusTotal: 8/87 detections at time of analysis

Verdict: MALICIOUS — BEC/Credential Harvesting. Confidence: HIGH.

Key Defensive Actions:

• Domain and IP blocked across email gateway, DNS, firewall, and web proxy
• 12 emails purged from all mailboxes via compliance search
• Custom Wazuh rule deployed for campaign IOCs
• Recommendation issued to implement DMARC enforcement and deploy CFO impersonation detection rules

This condensed walkthrough demonstrates the flow from summary to evidence to action. In Lab PH-6, you will write a full-length report following the complete template.

Report Quality Checklist

Before submitting any phishing investigation report, verify every item:

• Executive summary is under 150 words and answers: what, who, impact, actions, status
• All IOCs are defanged (URLs, IPs, email addresses)
• Every finding has a timestamp in UTC
• Authentication results (SPF, DKIM, DMARC) are documented with pass/fail verdicts
• IOC table includes type, value, context, and enrichment columns
• Verdict states a confidence level (HIGH/MEDIUM/LOW) with supporting basis
• Defensive actions include timestamps and scope
• Recommendations are specific and actionable (not generic "improve security")
• Executive summary is written in plain language for non-technical readers
• Report has been spell-checked and formatted consistently

Key Takeaways

• Written reports transform single investigations into permanent organizational knowledge — without them, analysis is lost when the analyst goes off shift
• Follow a consistent template structure: Executive Summary, Email Details, Header Analysis, Authentication Results, Artifact Analysis, IOC Table, Verdict, Actions, Recommendations, Lessons Learned
• Write the executive summary last (after completing all analysis) and keep it under 150 words in plain language
• Defang all IOCs, timestamp everything in UTC, and quote exact evidence — credibility depends on precision
• State your verdict with a confidence level (HIGH/MEDIUM/LOW) supported by specific indicators, not just opinions
• Every report should drive at least one actionable recommendation that prevents the same attack from succeeding again
• Use the quality checklist before every submission — consistency builds trust with stakeholders and improves your program metrics

What's Next

This lesson completes the Phishing Analysis module. You have progressed from recognizing phishing emails to analyzing headers, verifying authentication, extracting artifacts, executing defensive response, and documenting your findings in professional investigation reports. In Lab PH-6, you will write a complete phishing investigation report from scratch using a realistic scenario and the template from this lesson.

Next, you move into Module 5: Network Detection & Forensics, where you shift focus from email-borne threats to network-level detection. You will work with Suricata rules, EveBox alert triage, protocol analysis, and PCAP investigation — building on the same analytical methodology you have mastered in phishing analysis, now applied to network traffic.