Why email is still the #1 attack vector
Email remains the most common entry point for cyberattacks. Most successful breaches start with a single message landing in someone's inbox. The attacker doesn't need to break through a firewall, they just need one person to click a link or open an attachment.
A phishing email is a fraudulent message designed to trick the recipient into doing something that benefits the attacker. That action could be entering login credentials on a fake site, downloading malware, opening a macro-enabled document, approving an MFA request, sending money, or simply replying with sensitive information. The organisations being impersonated are almost always ones people trust without thinking, banks, Microsoft, Google, Amazon, PayPal, HR departments, or a message that appears to come from the CEO.
This guide covers every component of an email and how a SOC analyst examines each one.
Anatomy of an email
Most people see the display name, subject line, and message body. That's exactly what attackers count on. A full analysis touches every part of the message.
| Component | What analysts look at |
|---|---|
| Display name | Does it match the actual sending address? |
| Sender address | Real domain or a lookalike? |
| Reply-To | Does it differ from the From address? |
| Return-Path | Where do bounces go, is it suspicious? |
| Subject line | Urgency, threats, reward, or unusual phrasing? |
| Received headers | What path did this email actually travel? |
| SPF / DKIM / DMARC | Did authentication pass or fail? |
| Message body | Grammar, tone, formatting, psychological pressure |
| Hyperlinks | Does the visible URL match the real destination? |
| Attachments | Extension, file type, macro-enabled? |
1. Display name vs. sender address
Most users only read the display name. Attackers know this. The name can say "Microsoft Support" while the actual sending address is something like support@microsoft-verify-account.xyz. Email clients often hide the raw address by default, which is why this trick works so reliably.
One of the subtler variants is typosquatting, registering a domain that looks nearly identical to a legitimate one. The letters rn side by side look almost exactly like m, so rnicrosoft.com can pass a quick glance.
| Legitimate domain | Fake equivalent |
|---|---|
| paypal.com | paypa1.com |
| microsoft.com | rnicrosoft.com |
| amazon.com | amaz0n.com |
| google.com | goog1e.com |
| apple.com | app1e.com |
Attackers also add words to the domain to make it look official: paypal-security.com, secure-paypal.org, microsoftverify.com. None of these belong to the real companies. Always check the actual domain, not the words around it.
2. Subject line
The subject line is designed to get you to open the email before thinking. Phishing subjects almost always trigger one of three emotions: fear, urgency, or curiosity. Common examples include "Your account will be closed", "URGENT: Invoice attached", "Suspicious login attempt detected", and "Package delivery failed, action required".
Legitimate organisations rarely demand action within minutes and don't phrase things to create panic. If the subject line made your heart rate go up slightly, that's intentional, slow down rather than speed up.
3. Greeting
A company that has your account knows your name. Phishing emails use generic greetings like "Dear Customer", "Dear User", or "Hello Member" because the same message is being sent to millions of people simultaneously. A generic greeting isn't proof the email is malicious, but it's a flag worth noting alongside the other signals.
4. Message body
Read the content carefully and look for inconsistencies. Grammar mistakes, spelling errors, awkward phrasing, mismatched fonts, random colour changes, broken images, and incorrect logos all suggest the email wasn't produced by a legitimate organisation's communications team. AI tools have made phishing emails more convincing in recent years, but inconsistencies still appear, especially in the formatting and in phrases that don't quite match how the impersonated company normally communicates.
5. Psychological tactics
Phishing works because it exploits predictable human responses. SOC analysts recognise these as social engineering techniques rather than coincidences.
| Tactic | Example |
|---|---|
| Fear | "Your account has been compromised." |
| Urgency | "Act within 30 minutes or your account will be closed." |
| Curiosity | "Someone mentioned you in this document." |
| Reward | "You've been selected for a free iPhone." |
| Authority | "Message from the CEO / HR Department / Government Notice" |
| Scarcity | "Limited time, offer expires today." |
If an email is pushing you toward a fast decision, that pressure itself is a red flag. Real organisations give you time.
6. Hyperlink analysis
Never trust visible link text. An email can display https://paypal.com while the actual URL underneath points to http://paypal-login-security.xyz. Always hover over a link before clicking, your browser shows the real destination in the status bar.
Things to check in a URL: is the domain legitimate or a lookalike? Is it HTTP rather than HTTPS? Does it use an IP address directly instead of a domain name? Is it a URL shortener hiding the real destination? Does it use a long subdomain to bury the real domain at the end?
That last one is worth understanding clearly. In paypal.com.fake-domain.com, the actual domain is fake-domain.com. Everything before the last dot-separated domain is just a subdomain, the attacker has constructed it to look official at a glance.
7. Attachments
Attachments are one of the most reliable malware delivery mechanisms because users are conditioned to open files. The extensions below should trigger immediate caution from anyone in a security role.
| Category | Extensions to watch |
|---|---|
| Executables | .exe, .scr, .bat, .cmd |
| Scripts | .js, .vbs, .ps1 |
| Disk images | .iso, .img |
| Archives | .zip, .rar (may contain any of the above) |
| Macro-enabled Office files | .docm, .xlsm, .pptm, the "m" means macro-enabled; macros can execute arbitrary code |
| PDFs | Not inherently malicious, but can redirect to phishing sites, embed QR codes, contain malicious links, or exploit vulnerable readers |
Never open a suspicious attachment locally. Use a sandbox tool to detonate it safely, more on that in the tools section below.
8. QR code phishing (quishing)
A growing tactic is replacing clickable links with QR codes. The user scans the code with their phone, which opens a phishing site on a device that typically has fewer security controls than a corporate laptop. The reason this works so well is that you can't hover over a QR code, there's no way to preview the destination before visiting it. If an email asks you to scan a QR code to "verify your account" or "complete a security check", treat it with the same suspicion as a bare link.
9. Email header analysis
Headers are hidden by default in most email clients, but they contain the most technically reliable information about where an email actually came from. Every mail server that handled the message adds a Received: line, and crucially, you read these from bottom to top. The bottom entry is where the email originated. Working upward shows the relay chain all the way to your inbox.
Return-Path
The address that receives bounced emails. If the Return-Path domain doesn't match the From domain, that's a mismatch worth investigating. A legitimate PayPal email's Return-Path should be at a PayPal domain, if it points to abc123@randomdomain.com, something is wrong.
Reply-To
If an attacker sends from a spoofed address but wants replies to land somewhere they control, they set a different Reply-To. Seeing From: billing@company.com alongside Reply-To: support@gmail.com is a significant red flag, legitimate company billing systems don't route replies to personal Gmail accounts.
Message-ID
Every email has a unique identifier generated by the sending mail server. Unusual or random-looking domains in the Message-ID can indicate suspicious sending infrastructure that doesn't match the claimed sender.
X-Originating-IP
Some mail servers include the original sending IP address in this field. If an email claims to be from Microsoft but originated from a residential IP in an unexpected country, that's worth investigating further.
10. Email authentication: SPF, DKIM, DMARC
These three protocols form the technical backbone of email authentication. Together they answer: did this email actually come from who it claims to be from, and has it been tampered with in transit?
| Protocol | Full name | What it checks | Results to know |
|---|---|---|---|
| SPF | Sender Policy Framework | Whether the sending mail server is authorised to send email for the domain, checked against a DNS record the domain owner publishes | PASS = authorised server. FAIL = possible spoofing. |
| DKIM | DomainKeys Identified Mail | Whether the email was modified after leaving the sending server, verified using a cryptographic signature | PASS = intact and signed. FAIL = tampered or unsigned. NONE = no signature present. |
| DMARC | Domain-based Message Authentication, Reporting & Conformance | Combines SPF and DKIM results and tells receiving servers what to do if either fails, reject, quarantine, or allow | PASS = both checks align. FAIL = spoofing likely. REJECT/QUARANTINE = domain owner has set an enforcement policy. |
A legitimate email from a well-configured domain will pass all three. A spoofed email will typically fail at least one. SPF FAIL or DMARC FAIL on an email claiming to be from a major organisation is a strong indicator of spoofing.
11. Domain and IP reputation
Once you've extracted the sender's domain and originating IP address from the headers, check their reputation. Questions worth asking: when was the domain registered? A domain created yesterday claiming to be Microsoft is immediately suspicious. Is it listed on any blacklists? Has the IP address been reported for malicious activity? Does WHOIS show privacy protection masking the registrant identity? Does the domain have a real website, or does it resolve to nothing?
Brand new domains and IPs with abuse reports are two of the most reliable signals that something is off.
12. Business Email Compromise (BEC)
Not every phishing email contains malware or a malicious link. Business Email Compromise is a category where the entire attack is social engineering, no technical payload required. A classic example is an email appearing to come from the CEO asking an employee to urgently purchase gift cards and send the redemption codes, or a fake vendor invoice redirecting payment to a new bank account.
These attacks are often harder to detect technically because the emails can pass all authentication checks (if the attacker has compromised the real account) and contain no suspicious URLs or attachments. The signal is in the request itself, unusual urgency, an out-of-character ask, pressure to bypass normal approval processes, or a request to keep things confidential.
Safe analysis process
When a suspicious email arrives, whether reported by a user or caught by a filter, this is the order to work through it.
- Don't click links or open attachments until the analysis is complete.
- Verify the full sender address, not just the display name.
- Check the Reply-To and Return-Path for mismatches with the From address.
- Hover over every link to check the real destination URL.
- Note any urgency, fear, authority, or reward pressure in the content.
- Pull the full email headers and read the Received chain bottom to top.
- Check SPF, DKIM, and DMARC authentication results.
- Look up the sender domain's registration date and reputation.
- Check the originating IP against abuse and blacklist databases.
- Scan any URLs or attachments using sandbox tools, never open locally.
- If still unsure, contact the claimed sender through an official channel that you find independently, not the details in the email.
- Report to your security team so the threat can be blocked for other users.
Analysis tools
| Tool | Purpose |
|---|---|
| MXToolbox | Analyse email headers, DNS records, mail server configuration, and blacklist status |
| VirusTotal | Scan URLs, domains, IPs, and file hashes against dozens of security engines simultaneously |
| URLScan.io | Safely visit a URL in an isolated browser and see screenshots, redirects, scripts loaded, and network requests, without visiting it yourself |
| Any.Run | Interactive malware sandbox, watch what a file or URL actually does when executed in a controlled environment |
| Hybrid Analysis | Automated malware sandbox with behavioural analysis and IOC extraction |
| Cisco Talos Intelligence | Check the reputation of IPs, domains, and URLs using Cisco's threat intelligence database |
| AbuseIPDB | Community-reported IP abuse data, check whether an IP has been flagged for malicious activity |
| WHOIS Lookup | Domain registration details, creation date, registrar, expiry, and registrant information |
| Google Safe Browsing | Check whether a URL is flagged as a known phishing or malware site |
SOC analyst workflow
When a phishing email is escalated to a SOC team, the investigation follows a structured process rather than an ad-hoc inspection.
- Preserve the email as evidence in its original form, including headers.
- Review all components, sender, subject, body, links, and attachments, before touching anything.
- Extract indicators of compromise (IOCs): sender email address, domains, URLs, IP addresses, file names, and file hashes.
- Analyse headers to verify the sending path and authentication results.
- Run reputation checks on all extracted IOCs using threat intelligence platforms.
- Sandbox suspicious files and URLs to observe behaviour in a controlled environment.
- Determine scope, how many users received this email? Did anyone click or open anything?
- Contain by blocking malicious domains and IPs, quarantining the email from other inboxes, disabling compromised accounts, or isolating affected endpoints.
- Document the full investigation: findings, evidence collected, timeline, and response actions taken.
- Recommend improvements, updated email filter rules, stronger authentication enforcement, or targeted user awareness training.
Final takeaway
Phishing detection is about looking past the surface. Attackers can replicate logos, copy email formatting, and write convincing prose, but the technical signals underneath are much harder to fake. SPF failures, domain mismatches, suspicious originating IPs, and Reply-To redirections expose the truth even when the visual presentation looks legitimate.