Home > SOC Analysis

Phishing Detection

Phishing detection focuses on identifying attempts where attackers trick users into revealing credentials, downloading malware, or accessing fake websites.
SOC analysts detect phishing through email telemetry, network traffic, endpoint behavior, and threat intelligence correlation.
Effective phishing detection requires checking sender identity, URL reputation, attachment behavior, HTML structures, redirect chains, and user interaction logs.

Understanding How Phishing Works

Phishing relies on social engineering. Attackers attempt to:

  • Impersonate trusted brands

  • Deliver HTML or PDF attachments with hidden scripts

  • Use shortened or obfuscated URLs

  • Deliver malware through documents

  • Capture credentials using fake login portals

SOC detection must focus on technical indicators, not user mistakes.

Email-Based Detection

Email telemetry provides the earliest evidence.

Key fields to analyze:

  • Sender address

  • Return-path mismatches

  • Sender IP reputation

  • SPF/DKIM/DMARC results

  • Subject anomalies

  • Attachment types

  • Embedded links

  • HELO/EHLO mismatch

What analysts look for:

  • Sender from free email domains impersonating companies

  • Reply-to field mismatch

  • Failed SPF or DKIM

  • Suspicious attachment extensions

  • URL hidden behind display text

  • Base64-encoded HTML payloads

Example indicators:

SPF = FAIL
DKIM = NONE
domain age < 7 days

Email logs often provide the first alert before the user interacts.

URL and Domain Detection

Phishing emails almost always contain URLs pointing to fake login pages.

Analysts validate:

  • Domain age

  • Hosting provider

  • SSL certificate reuse

  • Subdomain patterns

  • Redirect chains

  • Presence in threat feeds

  • Whether page captures credentials

Tools used:

  • URLScan.io

  • VirusTotal

  • Passive DNS

  • OTX

  • Talos

Suspicious patterns:

  • newly registered domains

  • .xyz / .top / .tk TLDs

  • domain containing words like login, secure, verify

Attachment-Based Detection

Phishing frequently uses:

  • HTML attachments

  • PDF attachments

  • Office documents

  • ZIP files

  • JavaScript payloads

EDR and sandbox tools help detect malicious behavior executed by attachments.

Indicators:

  • Office file spawning PowerShell

  • PDF launching browser to malicious URL

  • Embedded JavaScript inside HTML files

  • Base64 scripts in attachments

Example malicious chain:

invoice.pdf → opens javascript → redirects to fake login portal

Browser and Network Indicators

SOC detects phishing at the network level through DNS, proxy, and firewall logs.

DNS Indicators

  • Queries for newly registered domains

  • Randomized subdomains

  • DGA-like patterns

Proxy Indicators

  • GET requests to phishing pages

  • Suspicious redirect chains

  • Unknown CDN or hosting services

Firewall Indicators

  • Outbound to IPs with poor reputation

  • TLS fingerprint anomalies

  • Self-signed certificates

Analysts correlate these logs with email and endpoint activity.

Endpoint Indicators

If the user interacts with the phishing email, endpoint logs reveal:

  • Browser spawning credential theft site

  • Credential theft via JavaScript

  • Office macros executing

  • PowerShell commands triggered by attachments

  • Credential manager access

Suspicious process tree:

WINWORD.exe → powershell.exe → curl malicious_url

This indicates phishing leading to malware execution.

Behavioral Detection (User Actions)

SOC monitors user actions that indicate phishing compromise:

  • Multiple failed logins

  • Successful login from new location

  • Impossible travel logins

  • MFA bypass attempts

  • OAuth app grants

  • Password reset attempts

SIEM rules correlate authentication anomalies with email events.

Phishing Use Case Detection Logic

Below are the core detection patterns SOC teams deploy.

Suspicious sender

SPF/DKIM = fail AND sender_domain not in approved list

Malicious domain check

domain_age < 7 days AND not in top domains

HTML attachment analysis

attachment_filetype = html AND contains "action=" AND "password"

Command execution after document opening

Office process → script engine (powershell, wscript)

Fake login detection

URL similarity score > 90% with legitimate brand but suspicious TLD

Credential theft indicators

POST request to unknown domain containing "username" or "password"

These rules detect phishing at multiple layers.

Real SOC Examples

Example 1 — Credential Harvesting Email

Email:

Subject: Urgent Payroll Update
Link: secure-payroll-review[.]com

Findings:

  • Domain registered 2 days ago

  • Logo copied from official site

  • Login form posts data to PHP collector

Action:

  • Block domain

  • Notify targeted employees

Example 2 — HTML Attachment Phishing

Attachment: update.html

Content:

  • Inline CSS to mimic Microsoft login

  • JavaScript sending credentials to attacker server

Action:

  • Quarantine email

  • Add IOC to detection rules

Example 3 — Phishing Leading to Malware

User opened document:

invoice.docm → powershell.exe → download payload

EDR detection and containment triggered.

Intel Dump

  • Phishing detection relies on email telemetry, URLs, attachments, and endpoint behavior.

  • Indicators include SPF/DKIM failures, new domains, suspicious TLDs, encoded HTML files, and abnormal redirects.

  • Network logs reveal DNS queries, C2-like domains, and TLS anomalies.

  • Endpoint logs identify malicious process trees triggered by attachments.

  • SOC correlates email, proxy, DNS, and EDR data to confirm phishing incidents.

HOME LEARN COMMUNITY DASHBOARD