Open to work — SOC · Security Analyst · Jr Pentest

~/writeups/soc-phishing-response

SOC — May 2026

Phishing Incident Response

SOC triage walkthrough — investigating a credential phishing alert, analyzing email headers, and containing the threat.

Medium phishing email-analysis splunk incident-response siem

Objective

Practice a SOC-style phishing investigation from alert intake to containment. The focus is not just confirming that a message is malicious, but preserving the evidence chain: sender identity, header authentication, URL behavior, affected recipients, endpoint impact, and response actions.

Environment

  • SIEM: Splunk ES-style email gateway review
  • Scope: User-reported credential phishing email
  • Artifacts: Email headers, suspicious URL, recipient list, endpoint check, and IOCs
  • Defensive goal: Confirm exposure, contain the campaign, and leave a reusable investigation note

Alert Overview

  • Alert: Potential Credential Phishing — User Reported Suspicious Email
  • Severity: Medium
  • Source: Splunk ES
  • Assignee: SOC L1

Initial Triage

Email Header Analysis

From: "IT Support" <it-support@rnicrosoft.com>
To: jdoe@company.com
Return-Path: bounce@malicious-c2.xyz
Received: from mail.malicious-c2.xyz ([45.67.89.123])
DKIM: none
SPF: softfail

Red flags identified:

  • Sender domain rnicrosoft.com — typosquatting of microsoft.com
  • Return-Path mismatch with From header
  • DKIM signature missing, SPF softfail
  • Suspicious external IP in Received chain

URL Analysis

The email contained a link to hxxps://login-microsoft365[.]xyz/auth. Analysis in sandbox showed a cloned Microsoft login page harvesting credentials.

Investigation

Splunk Query — Email Gateway Logs

index=email sourcetype="email_gateway"
| search recipient="jdoe@company.com"
| eval sender_domain=mvindex(split(sender_email,"@"),1)

Found 12 other employees received the same phishing email within a 5-minute window.

Endpoint Check

Checked user's workstation via EDR for signs of credential entry — no IOC hits. User reported the email without clicking the link.

Evidence Summary

EvidenceFindingAnalyst Note
Sender domainrnicrosoft.comTyposquatting attempt against Microsoft
AuthenticationSPF softfail, no DKIMMessage failed trust checks
URLCloned Microsoft 365 login pageCredential harvesting risk
Recipient scope12 additional usersCampaign-level containment needed
Endpoint reviewNo click or IOC hitUser report prevented compromise

Containment & Response

  1. Deleted emails from all recipient inboxes via Exchange admin
  2. Blocked sender domain and C2 IP at firewall level
  3. Added IOCs to SIEM watchlist
  4. Sent awareness notification to company-wide distribution list

Defensive Takeaway

User reporting shortened the response window. The practical detection lesson is to combine mail authentication failures, sender-domain similarity, URL destination review, and recipient spread into one repeatable triage path.

Key Takeaways

  • Typosquatting domains are a common initial indicator
  • SPF/DKIM/DMARC gaps make spoofing easier — push for strict policies
  • User reporting is the most effective detection mechanism for phishing
← All writeups See the lab it ran in