Phishing Incident Investigation Report

Simulated Security Analysis Project | 2025

Executive Summary

A simulated phishing email containing a malicious embedded link was delivered to a user inbox. The investigation focused on validating the alert, identifying indicators of compromise (IOCs), assessing potential credential abuse, and defining escalation and remediation steps aligned with SOC workflow practices.

Alert Details

  • Alert Type: Suspicious Phishing Email
  • Detection Source: Email Heuristic Filtering
  • Affected User: Simulated Corporate Account
  • Initial Severity: Medium

Investigation Steps

  1. Analyzed email headers for SPF/DKIM inconsistencies and domain reputation.
  2. Reviewed embedded link behavior and domain registration age.
  3. Checked authentication logs for abnormal login activity.
  4. Correlated timestamps with web access logs.
  5. Evaluated IP reputation and geolocation anomalies.

Findings

  • Suspicious domain recently registered.
  • No confirmed credential submission.
  • No abnormal login patterns detected.
  • Classified as contained phishing attempt.

MITRE ATT&CK Mapping

  • T1566 – Phishing (Initial Access)
  • T1078 – Valid Accounts (Potential Risk Scenario)

Escalation Decision

The incident was documented as a true positive phishing attempt without confirmed compromise. Recommended actions included a precautionary password reset and continued monitoring for 24 hours.

Detection Improvement

  • Proposed SIEM rule correlating email delivery with failed login attempts.
  • Suggested monitoring for new geolocation login activity.
  • Recommended threshold tuning to reduce false positives.