fatcousin
// first 10 minutes

phishing campaign investigation — quick-start

phishing campaign — first 10 minutes. preserve lures, block kit domains. print this, check boxes, then run the primary tools.

checklist

  1. pull all reported messages as .eml — do not forward (forwarding rewrites headers).
  2. export mail gateway quarantine for reported subject lines and sender domains — 14 days back.
  3. search org mail for the same subject, attachment hash, or url host across all mailboxes.
  4. preserve one landing page capture (html + js) before the host goes offline.
  5. expand every shortener url found — record final host and path.
  6. identify users who clicked — proxy or dns logs if available.
  7. reset credentials for clickers who submitted the lure form.
  8. block kit domains and shortener targets at proxy — not just the first reported url.
  9. open abuse ticket with domain registrar / hosting if infrastructure is fresh.
  10. begin the primary tool path below.

primary tools

  1. 01phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. 02phishing URL extractor from email bodydrop eml files or paste email body html · extract all urls from email body and headers · decode obfuscated and redirected urls · surface phishing indicators and malicious link patterns · runs locally
  3. 03email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
  4. 04url redirect chain tracerpaste shortened URLs · trace full redirect chain via proxy · detect malicious redirects · show final destination · flag suspicious hops · runs locally
  5. 05domain reputation analyzerpaste domains or IPs · score by entropy · TLD risk · homoglyph detection · DGA patterns · punycode abuse · age heuristics · no external lookup · runs locally
  6. 06ioc extractordrop any file or paste text · extract indicators of compromise · ips · domains · urls · hashes · emails · cves · export stix · csv · runs locally
  7. 07ioc deduplicator and normalizerdrop multiple ioc lists from any format · deduplicate · normalize · classify by type · validate format · enrich with context · export in stix csv and plain text formats · runs locally
  8. 08javascript deobfuscatorpaste obfuscated javascript · packed js · fromcharcode · atob · hex unicode · beautify · html script extract · iocs · runs locally

go deeper

methodology →proof · northwind-phishing-campaigncase type tools →
ready