SOC phishing triage across ten email red-flag patterns
Foundations SOC engagement: classified ten inbox samples as phishing or legitimate by executive impersonation, macro attachments, survey links, credential-harvest pages, and look-alike payment URLs — closing with a verified triage artifact.
- Case files
- SOC phishing triage across ten email red-flag patterns
Walked ten production-style messages; seven phishing, three legitimate; documented the decisive indicator on each phish and recovered the engagement artifact after full classification.
Documented phishing vs legitimate verdicts with the decisive indicator per level.
Engagement summary
Walked ten production-style messages; seven phishing, three legitimate; documented the decisive indicator on each phish and recovered the engagement artifact after full classification.
THE PHISHING POND was a SOC analyst drill against a curated inbox. Each message required a binary verdict plus the primary red flag when malicious. Phishing patterns observed: executive impersonation demanding an urgent wire (L1); Office attachment instructing the user to enable macros (L5, L10); third-party survey link off corporate domain (L6); prize/offer harvesting banking or PII (L7); password-reset redirect to a look-alike host (L8); deceptive payment-portal URL (L9). Levels 2–4 were legitimate operational mail with aligned branding and no credential or payment coercion. Correct classification of the full set unlocked THM{i_phish_you_not}. Briefing focus: reason codes, not gut feel — every phish maps to a detectable control failure (display-name trust, macro policy, URL inspection).
Business impact
Missed BEC and macro lures convert to wire fraud and ransomware footholds. Analysts who cannot name the indicator cannot tune detections. Codify reason codes into playbooks and SIEM rules (urgent finance language + external From, .docm/.xlsm with enable-content language, password-reset domains ≠ IdP).
Classification matrix and reason codes
Documented phishing vs legitimate verdicts with the decisive indicator per level.
TRIAGE LOG
phishing-pond-triage.txt
L1 PHISH executive impersonation + urgent wire transfer
L2 LEGIT
L3 LEGIT
L4 LEGIT
L5 PHISH attachment + enable macros
L6 PHISH suspicious third-party survey link
L7 PHISH offer requires personal/banking details
L8 PHISH malicious password-reset page
L9 PHISH deceptive payment-portal URL
L10 PHISH attachment + enable macrosANALYST · SOC
savvy@lab:~$ cat triage/phishing-pond-triage.txt | grep PHISH | wc -l
7
savvy@lab:~$ cat engagement/artifact.txt
THM{i_phish_you_not}
Remediation
Block macros from internet zone by default; warn on display-name ≠ SMTP alignment; rewrite/sandbox external links; train finance on verbal verification for wire changes. Feed confirmed phish samples into secure email gateway allow/deny lists within the same shift.