Analyzing Phishing Emails: A Practical SOC Analyst Guide to URLs, Attachments, and Threat Intelligence

Understanding the Email Body as an Attack Vector

Once an email is flagged as suspicious, analysis should begin with the email body. This is typically where the malicious payload is delivered, either through:

• Embedded hyperlinks
• Malicious attachments

Attackers frequently disguise these elements using trusted branding, urgency, or social engineering techniques to encourage interaction.

Manually Extracting Hyperlinks from Emails

Before interacting with any links, analysts must extract the destination safely. The most common manual method is to:

• Right-click the hyperlink
• Select “Copy Link Location” or “Copy Link Address”
• Paste the URL into a text editor for inspection

This avoids accidental execution and reveals the true destination, which is often hidden behind misleading anchor text. Links can also be extracted from HTML-formatted emails or raw email headers.

Extracting URLs Using Automated Tools

For emails containing multiple links or encoded content, automated tools can streamline extraction. Commonly used options include:

• URL Extractor (convertcsv.com): Paste raw headers or email content to extract URLs automatically.
• CyberChef: Use the "Extract URLs" recipe for bulk or encoded data. https://gchq.github.io/CyberChef/

A critical step after extraction is identifying the root domain of each URL. While full URLs may change frequently, root domains and infrastructure are often reused across campaigns.

Analyzing URLs and Domains for Reputation

Once URLs are extracted, their reputation and behavior must be assessed using threat intelligence and sandbox platforms.

• ANY.RUN: An interactive sandbox allowing analysts to observe live execution of URLs and files. https://any.run/
• Hybrid Analysis: https://hybrid-analysis.com/ Provides static and dynamic analysis with threat scoring and behavioral indicators.
• Joe Sandbox: Enterprise-grade sandbox offering deep behavioral, network, and file analysis. https://www.joesandbox.com/

These tools help determine whether a URL leads to credential harvesting, malware delivery, or command-and-control activity.

Phishing-Specific Intelligence Platforms

• PhishTool: phishtool.com Designed specifically for phishing investigations and SOC workflows, supporting analysis, classification, and reporting.
• PhishTank: https://www.phishtank.com/ A community-driven phishing database useful for validating known phishing URLs and campaigns.

Analyzing Email Infrastructure and Sender Reputation

• MXToolbox: https://mxtoolbox.com/ Used to analyze email headers, sending IP reputation, and SPF, DKIM, and DMARC configurations.
• Spamhaus: https://www.spamhaus.org/ Provides authoritative blocklists for spam, phishing, and malware-related infrastructure.

Infrastructure analysis often reveals spoofed domains, abused mail servers, or newly registered sending hosts.

Handling and Analyzing Email Attachments Safely

If a suspicious email contains an attachment, it must be handled with care. Recommended steps include:

• Do not open the file.
• Save it using a secure mail client (e.g., Thunderbird).
• Calculate its cryptographic hash.

Example SHA-256 hash generation:

sha256sum suspicious_document.doc

Hashes allow analysts to check file reputation without executing the attachment.

File Reputation and Malware Intelligence

• VirusTotal: https://www.virustotal.com/gui/ Aggregates results from dozens of antivirus engines and sandbox tools.
• Cisco Talos File Reputation: https://www.talosintelligence.com Provides reputation data used across Cisco security products and threat intelligence feeds.

These platforms help determine whether an attachment is a known malicious file or part of an emerging campaign.

What a SOC Analyst Should Collect During Phishing Analysis

Beyond identifying malicious content, SOC analysts must collect actionable indicators that support detection, response, and prevention.

Threat Hunting After User Interaction and Remediation

When a user has already interacted with a phishing email, such as clicking a link, opening an attachment, or submitting credentials, the investigation does not stop at containment. At this stage, the SOC shifts from triage into threat hunting mode to determine whether the activity led to deeper compromise.

The goal is to identify persistence, lateral movement, or secondary payloads that may not be immediately visible.

Establishing the Scope of User Interaction

The first step is confirming exactly what actions the user took. Key questions to answer:

• Did the user click the link or multiple links?
• Was an attachment opened or executed?
• Were credentials entered into a phishing page?
• Was the interaction repeated from multiple devices or locations?

This information defines the scope of the hunt and helps prioritize systems and logs.

Endpoint Threat Hunting Activities

If a user clicked a phishing link or opened an attachment, endpoint telemetry becomes critical. Analysts should hunt for:

• New or suspicious processes spawned after interaction
• Command-line activity linked to script interpreters (PowerShell, cmd, wscript)
• Files written to temporary or user-writable directories
• Persistence mechanisms such as scheduled tasks, registry run keys, startup folders
• Unusual parent-child process relationships

If EDR is available, analysts should pivot from the user account, timestamp of interaction, and file hash or URL. Any anomalies should be isolated and escalated immediately.

Network Threat Hunting Activities

Phishing often serves as the initial access vector for further network activity. Analysts should hunt for:

• Outbound connections to known malicious IPs or domains
• DNS queries to newly registered or suspicious domains
• Beaconing behavior or repeated callback traffic
• SSL connections with uncommon certificate issuers
• Connections outside normal geographic patterns for the user

Network logs can reveal delayed payload retrieval or command-and-control communication that occurs hours or days after the initial click.

Identity and Authentication Threat Hunting

If credential submission is suspected or confirmed, identity-based hunting becomes a priority. Analysts should review:

• Failed and successful login attempts after the phishing event
• Logins from unfamiliar IP addresses or countries
• Impossible travel scenarios
• MFA bypass attempts or MFA fatigue activity
• Privilege escalation or role changes

In these cases, credentials must be considered compromised until proven otherwise.

Email Environment Threat Hunting

Threat actors often reuse compromised accounts to expand access. Analysts should hunt for:

• Suspicious inbox rules or mail forwarding rules
• Emails sent from the affected account
• Similar phishing emails delivered internally
• Lookalike domains targeting other users

This step helps identify lateral phishing or internal propagation.

Remediation Actions During Threat Hunting

Threat hunting and remediation should happen in parallel when risk is confirmed. Typical remediation actions include:

• Isolating affected endpoints
• Forcing password resets and token revocation
• Invalidating active sessions
• Blocking malicious domains, URLs, and IPs
• Removing malicious files and persistence mechanisms
• Deleting malicious inbox rules

Remediation should always be logged and mapped to confirmed indicators.

Validation and Post-Remediation Monitoring

After remediation, analysts should continue monitoring for:

• Reappearance of IOCs
• Repeated login attempts
• New outbound connections to known infrastructure
• Reuse of previously blocked indicators

This confirms whether the threat has been fully eradicated or if the attacker retained access.

Documentation and Intelligence Feedback

Threat hunting findings should be documented clearly and shared with detection and engineering teams. Key outputs include:

• New IOCs discovered during hunting
• Behavioral patterns observed
• Gaps in detection or visibility
• Recommendations for new alerts or rules

This ensures future phishing attempts are detected earlier and handled more efficiently.

Closing Perspective

When a user has interacted with a phishing email, the incident should always be treated as a potential intrusion, not just an email security issue. Effective threat hunting bridges the gap between initial detection and full incident response, ensuring attackers do not maintain hidden access.

This mindset is what separates basic alert handling from mature SOC operations.

Best Practices for SOC Phishing Investigations

• Never click links directly from suspicious emails.
• Always extract and analyze URLs first.
• Validate both full URLs and root domains.
• Hash attachments before analysis.
• Use multiple intelligence sources.
• Document and share indicators with detection teams.

Closing Thoughts

Phishing analysis is not just about identifying a malicious email. It is about building intelligence, understanding attacker behavior, and strengthening defenses across the organization. While some of this is automated in mature SOCs, knowing these tools and techniques is essential. Next, we will look at how to structure a phishing incident analysis report.