Every phishing investigation I conduct follows the same structured methodology. Here is exactly how I work through a suspicious email from first report to final incident documentation.
Before touching anything, I assess the alert context. What user reported it? What time was it received? Does the subject line use urgency language? I check our SIEM for any correlated events from the same timeframe.
The header tells the real story. I look at: the Return-Path (actual sender vs display name), SPF/DKIM/DMARC results, Received-from chain (IP hops), and X-Originating-IP. A DMARC FAIL with a convincing display name is the most common pattern I see.
I never click links directly. I extract URLs and submit them to VirusTotal, URLScan.io, and if needed Any.run sandbox for full detonation. I check the domain registration date — anything under 30 days old is automatically suspicious.
Every investigation ends with a formal IOC table: sender domains, URLs, IPs, email subjects, and malware hashes if applicable. These get added to our threat intelligence platform and SIEM blocklist.
Everything goes into a structured incident report following the format from my NexSecure Bootcamp training: timeline, classification, IOCs, L1/L2 actions, and recommendations. This is what separates a SOC analyst from someone who just "checks alerts."
You can see this methodology applied in full in my Phishing Case Study on this site.
Written by O.T. Nathaniel, AMICDFA, CCEP, CBTP — SOC Analyst & Founder of Cyber Nate