IR-001email-securityv1.0.0

Phishing Email Investigation

⚠️ medium⚠️ high

⏱ Est. Time30m

📋 Steps12 steps

🔧 Tools5 required

🔗 Integrations5 platforms

📊 Avg Resolution45m

★ View on GitHub

🎯 MITRE ATT&CK

T1566.001 T1566.002 T1598.003 T1204.001 T1204.002

🔧 Tools Required

email gatewayedrsiemthreat intelligence platformurl sandbox

⚡ Triggers

email_security_alertuser_reported_phishinganti-phishing_gateway_blocksiem_correlation_rule

🔌 Integrations

req

defender for o365

Microsoft Defender for Office 365 — Threat Explorer and quarantine management

opt

proofpoint tap

Proofpoint Targeted Attack Protection — alternative email security gateway

opt

crowdstrike falcon

Endpoint telemetry for recipients who may have clicked links

opt

splunk

Correlation across email, proxy, and endpoint logs

req

virustotal

URL and hash reputation lookups for IOC extraction

Click each step to expand the full procedure, automation hints, and expected outputs.

Review the original alert or user report. Determine if this is a bulk phishing campaign, targeted spearphishing, or Business Email Compromise (BEC). Check the sender domain age, SPF/DKIM/DMARC alignment, and reply-to address. Flag BEC indicators (executive impersonation, finance-themed lures, urgency language).

⚡ Automation Hint

Microsoft Defender for O365 — Threat Explorer: GET https://graph.microsoft.com/v1.0/security/threatIntelligence/hosts/{hostId} Proofpoint TAP: GET https://tap-api-v2.proofpoint.com/v2/siem/messages/blocked?sinceSeconds=3600

📤 Outputs

email_idsender_addresssender_ipemail_classificationrecipient_list