fatcousin
// case type

phishing campaign investigation

scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. phishing URL extractor from email bodydrop eml files or paste email body html · extract all urls from email body and headers · decode obfuscated and redirected urls · surface phishing indicators and malicious link patterns · runs locally
  3. email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
  4. url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  5. domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  7. ioc deduplicator and normalizerdrop multiple ioc lists from any format · deduplicate · normalize · classify by type · validate format · enrich with context · export in stix csv and plain text formats · runs locally
  8. javascript deobfuscatorpaste obfuscated javascript · packed js · fromcharcode · atob · hex unicode · beautify · html script extract · iocs · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. obfuscated url decodermulti-line urls · percent hex punycode nfkc homoglyph pipeline · auth ip obfuscation flags · step cards · csv export · runs locally
  2. email HTML payload extractor and analyzerdrop eml files · extract html body from mime · analyze html structure for malicious patterns · surface embedded scripts iframes tracking pixels and obfuscated content · runs locally
  3. string deobfuscatorpaste obfuscated text or drop a binary · auto-detect and decode XOR · ROT13 · base64 · hex · reverse · stacked layers · runs locally
  4. base64 mass decoderdrop any file or paste text · detect and decode all base64 blobs · recursive decoding · hex decode · URL decode · PowerShell gzip · reveal hidden payloads · runs locally
  5. yara rule testerpaste a yara rule · drop a file · see matches · which strings and conditions triggered · educational · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • phishing campaign — IOC sweep

    7 steps

    drop suspect .eml(s) + exports → header parse → URL/email extract → IOC pull → dedupe → triage → report

    1. 01evidence-manifest-generatorhash every message export before parsing
    2. 02email-header-analyzerparse Received: chain + SPF/DKIM/DMARC for each message
    3. 03phishing-url-email-extractorpull obfuscated URLs and contact addresses from HTML bodies
    4. 04ioc-extractorextract domains, IPs, and URLs from headers + bodies across the campaign set
    5. 05ioc-deduplicator-normalizermerge IOCs across all messages — campaigns usually repeat 5–10 infrastructure items
    6. 06ioc-bulk-validatorscore the merged set; high-severity hits are the ones to block at the mail gateway
    7. 07case-report-generatordraft a campaign scope report for IR or threat-intel sharing

  • phishing — payload deobfuscate kit

    8 steps

    drop suspect .eml(s) + HTML payloads → header parse → JS deobfuscate → string decode → URL decode → IOC extract → triage → report

    1. 01evidence-manifest-generatorhash every message + HTML attachment before deobfuscation
    2. 02phishing-header-analyzerparse headers for campaign infrastructure pivots
    3. 03javascript-deobfuscatordeobfuscate embedded JavaScript payloads in HTML bodies
    4. 04string-deobfuscatordecode obfuscated string arrays and char-code chains
    5. 05obfuscated-url-decoderdecode hex / unicode / nested redirect URLs from the payload
    6. 06ioc-extractorpull domains, IPs, and URLs from deobfuscated payload text
    7. 07ioc-bulk-validatorscore the extracted IOC set for blocking priority
    8. 08case-report-generatordraft a report linking deobfuscated payloads to campaign infrastructure
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

ready