Case file

SOC phishing triage across ten email red-flag patterns

Foundations SOC engagement: classified ten inbox samples as phishing or legitimate by executive impersonation, macro attachments, survey links, credential-harvest pages, and look-alike payment URLs — closing with a verified triage artifact.

Foundations20 minPhishing · SOC · Email Security · BEC
  • Walked ten production-style messages; seven phishing, three legitimate; documented the decisive indicator on each phish and recovered the engagement artifact after full classification.

  • Documented phishing vs legitimate verdicts with the decisive indicator per level.

01

Engagement summary

Walked ten production-style messages; seven phishing, three legitimate; documented the decisive indicator on each phish and recovered the engagement artifact after full classification.

THE PHISHING POND was a SOC analyst drill against a curated inbox. Each message required a binary verdict plus the primary red flag when malicious. Phishing patterns observed: executive impersonation demanding an urgent wire (L1); Office attachment instructing the user to enable macros (L5, L10); third-party survey link off corporate domain (L6); prize/offer harvesting banking or PII (L7); password-reset redirect to a look-alike host (L8); deceptive payment-portal URL (L9). Levels 2–4 were legitimate operational mail with aligned branding and no credential or payment coercion. Correct classification of the full set unlocked THM{i_phish_you_not}. Briefing focus: reason codes, not gut feel — every phish maps to a detectable control failure (display-name trust, macro policy, URL inspection).

Business impact

Missed BEC and macro lures convert to wire fraud and ransomware footholds. Analysts who cannot name the indicator cannot tune detections. Codify reason codes into playbooks and SIEM rules (urgent finance language + external From, .docm/.xlsm with enable-content language, password-reset domains ≠ IdP).

02

Classification matrix and reason codes

Documented phishing vs legitimate verdicts with the decisive indicator per level.

TRIAGE LOG

phishing-pond-triage.txt

L1  PHISH  executive impersonation + urgent wire transfer
L2  LEGIT
L3  LEGIT
L4  LEGIT
L5  PHISH  attachment + enable macros
L6  PHISH  suspicious third-party survey link
L7  PHISH  offer requires personal/banking details
L8  PHISH  malicious password-reset page
L9  PHISH  deceptive payment-portal URL
L10 PHISH  attachment + enable macros

ANALYST · SOC

savvy@lab:~$ cat triage/phishing-pond-triage.txt | grep PHISH | wc -l

7

savvy@lab:~$ cat engagement/artifact.txt

THM{i_phish_you_not}

Remediation

Block macros from internet zone by default; warn on display-name ≠ SMTP alignment; rewrite/sandbox external links; train finance on verbal verification for wire changes. Feed confirmed phish samples into secure email gateway allow/deny lists within the same shift.