Module 4: Phishing Analysis & Email Security
The #1 attack vector. Learn to dissect it.
Lessons
Email Anatomy & Header Analysis
Email structure, headers, envelope vs content, received chains, X-headers
SPF, DKIM & DMARC Authentication
How email authentication works, reading authentication results, identifying spoofing
Phishing Types, Tactics & Techniques
Credential harvesters, drive-by downloads, BEC, spear phishing, typosquatting, homographs
Artifact Extraction & Analysis
Extracting sender, URLs, attachments, hashes; analyzing with VirusTotal, URLScan, AbuseIPDB, CyberChef
Defensive Measures & Response
Blocking artefacts, email security controls, immediate response process, reporting
Phishing Investigation Report Writing
Structured phishing report: header analysis, artifacts, verdict, defensive actions, lessons learned
Labs
Lab PH.1 — Email Header Dissection
Analyze raw email headers using MXToolbox Header Analyzer — trace Received chains, evaluate SPF/DKIM/DMARC results, identify originating IPs, and detect spoofing indicators across two email samples.
Lab PH.2 — Email Authentication Check
Query and interpret SPF, DKIM, and DMARC DNS records using MXToolbox — compare authentication postures across domains and evaluate five real-world email authentication scenarios.
Lab PH.3 — Classify the Phish
Analyze five email scenarios and classify each as spam, phishing, spear phishing, BEC, or legitimate — documenting evidence chains and recommended SOC response actions for each.
Lab PH.4 — Artifact Extraction & IOC Analysis
Extract IOCs from a phishing campaign and analyze them using VirusTotal, URLScan.io, and AbuseIPDB — build a blocklist-ready intelligence report with 13 indicators across 6 IOC types.
Lab PH.5 — Phishing Response
Investigate a phishing incident in Wazuh — trace the attack chain from initial brute force through reverse shell execution, privilege escalation, and lateral movement across 4 agents with 505 pre-loaded alerts.
Lab PH.6 — Write the Phishing Report
Write a formal phishing incident report using a professional template — compile findings from all previous labs into an executive summary, timeline, IOC appendix, and lessons learned document.