// runnable playbook

phishing campaign investigation

scope a campaign across a victim org — IOC extraction, kit fingerprinting, infrastructure pivoting.

a guided path, not automation — each step opens a tool you run yourself; nothing uploads. progress is saved only in this browser.

// based on the curated pipeline

wraps the phishing campaign — IOC sweep preset — drop suspect .eml(s) + exports → header parse → URL/email extract → IOC pull → dedupe → triage → report

methodology guide →worked example →full tool list + 3 more pipelines →

guided steps

0/7 done

01
evidence manifest generator
hash every message export before parsing
open tool →methodology
your note (local only)
02
email header analyzer
parse Received: chain + SPF/DKIM/DMARC for each message
open tool →methodology
your note (local only)
03
phishing URL extractor from email body
pull obfuscated URLs and contact addresses from HTML bodies
open tool →methodology
your note (local only)
04
ioc extractor
extract domains, IPs, and URLs from headers + bodies across the campaign set
suggested options · format: json · aggregate: true
open tool →methodology
your note (local only)
05
ioc deduplicator and normalizer
merge IOCs across all messages — campaigns usually repeat 5–10 infrastructure items
suggested options · lowercase: true · dropPrivate: false
open tool →methodology
your note (local only)
06
ioc bulk validator & triage
score the merged set; high-severity hits are the ones to block at the mail gateway
open tool →methodology
your note (local only)
07
case report generator
draft a campaign scope report for IR or threat-intel sharing
suggested options · title: phishing campaign — IOC sweep
open tool →methodology
your note (local only)

when you're done

export a run summary — a small JSON record of which steps you marked done, your notes, and a self-hash so the record can't be silently altered. it is your reproducibility note, not a per-tool receipt: each tool emits its own input→output receipt when you run it.