investigating-phishing-email-incident

# Investigating Phishing Email Incident ## When to Use Use this skill when: - A user reports a suspicious email via the phishing report button or helpdesk ticket - Email security gateway flags a message that bypassed initial filters - Automated detection identifies credential harvesting URLs or malicious attachments - A phishing campaign targeting the organization requires scope assessment **Do not use** for spam or marketing emails without malicious intent — route those to email administration for filter tuning. ## Prerequisites - Access to email gateway logs (Proofpoint, Mimecast, or Microsoft Defender for Office 365) - Splunk or SIEM with email log ingestion (O365 Message Trace, Exchange tracking logs) - Sandbox access (Any.Run, Joe Sandbox, or Hybrid Analysis) for URL/attachment detonation - Microsoft Graph API or Exchange Admin Center for email search and purge operations - URLScan.io and VirusTotal API keys ## Workflow ### Step 1: Extract and Analyze Email Headers Obtain the full email headers (`.eml` file) from the reported message: ```python import email from email import policy with open("phishing_sample.eml", "rb") as f: msg = email.message_from_binary_file(f, policy=policy.default) # Extract key headers print(f"From: {msg['From']}") print(f"Return-Path: {msg['Return-Path']}") print(f"Reply-To: {msg['Reply-To']}") print(f"Subject: {msg['Subject']}") print(f"Message-ID: {msg['Message-ID']}") print(f"X-Originating-IP: {msg['X-Originating-IP']}") # Pars...