[go: up one dir, main page]
Scribd
Upload
270 views8 pages

Phishing Email Detection Using Splunk - SOC Project.

The project aims to detect phishing emails by analyzing email gateway logs for suspicious subjects and dangerous attachments using Splunk. Key visualizations include identifying suspicious emails by sender, dangerous attachments, and common phishing email subjects. The project utilizes various tools for email analysis and emphasizes skills in SIEM log analysis, email security, and threat detection.

Uploaded by

Abdallh mohamed Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
270 views8 pages

Phishing Email Detection Using Splunk - SOC Project.

The project aims to detect phishing emails by analyzing email gateway logs for suspicious subjects and dangerous attachments using Splunk. Key visualizations include identifying suspicious emails by sender, dangerous attachments, and common phishing email subjects. The project utilizes various tools for email analysis and emphasizes skills in SIEM log analysis, email security, and threat detection.

Uploaded by

Abdallh mohamed Mahmoud
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Phishing

Email
Detection
Using Splunk –
Cybersecurity
SOC Project
Project Goal:

Detect phishing emails with suspicious subjects (like "password") or


dangerous attachments (like .exe files) from email gateway logs
(Exchange, Proofpoint, etc.).

Splunk SPL Query Used:


spl

index=email_logs subject="*password*" OR attachment="*.exe"


| stats count by sender, recipient, subject

Visualizations Created:

1. Suspicious Emails by Sender – Highlights top malicious email


senders.
2. Suspicious Attachments (.exe) – Flags dangerous file types sent via
email.
3. Phishing Email Subjects Detected – Detects subjects commonly
used in phishing attempts.

Tools Used:
• Splunk for log collection and analysis.
• Email Gateway Logs (Exchange, Proofpoint).
• Python + Seaborn for creating custom visual dashboards (optional).

Key Skills Demonstrated:

• SIEM Log Analysis


• Email Security
• Threat Detection
• Regex-based Filtering
• Dashboard Creation
Email Analysis & Investigation Websites

1. VirusTotal
https://www.virustotal.com/
Upload suspicious email attachments or URLs to scan them with multiple antivirus
engines and get detailed reports.
2. MXToolbox
https://mxtoolbox.com/
Check email server configurations (SPF, DKIM, DMARC), blacklist status, and
perform email header analysis.
3. URLScan.io
https://urlscan.io/
Analyze suspicious URLs from phishing emails by scanning their behavior in a
sandbox environment.
4. EmailRep
https://emailrep.io/
Reputation lookup for email addresses to check if an email sender is suspicious or
associated with scams.
5. PhishTool
https://phishtool.com/
Specialized phishing analysis and reporting platform that helps SOC teams identify
phishing threats.
6. Talos Intelligence (Cisco)
https://talosintelligence.com/
Search for IPs, domains, and emails related to malicious activity or phishing
campaigns.
7. Email Header Analyzer by Google
https://toolbox.googleapps.com/apps/emailheader/analyzer/
Paste full email headers to analyze the path and origin of the email for spoofing or
phishing detection.
8. IPVoid
https://www.ipvoid.com/
Check the reputation of IP addresses involved in sending suspicious emails.
📧 Email Analysis Process (Step-by-Step)
1. Initial Email Collection

• Obtain the full email message, including headers and body.


• Save the email in .eml or .msg format for detailed inspection.

2. Analyze Email Headers

• Email headers contain metadata about the path the email took.
• Look for:
o Received: Servers that handled the email (check for suspicious IPs).
o From/Return-Path: Check if the sender address matches the actual source.
o SPF, DKIM, DMARC Results: Authentication checks to see if the email was
spoofed or forged.

Tools:

• Use MXToolbox Email Header Analyzer


• Or Google Email Header Analyzer

3. Inspect Email Body and Subject

• Look for suspicious keywords like "password," "urgent," "verify," or "click here."
• Check if the subject or body contains:
o Requests for sensitive information (phishing).
o Misspellings or poor grammar.
o Suspicious links or attachments.

4. Analyze URLs and Links

• Extract URLs and test them on safe environments.


• Check if URLs are shortened or obfuscated.
• Verify domain reputation using tools like:
o VirusTotal
o URLScan.io
5. Examine Attachments

• Scan attachments with antivirus tools.


• Check file types (e.g., .exe, .js, .docm files are suspicious).
• Use sandbox tools to analyze attachment behavior.

Tools:

• VirusTotal (file scan)


• Hybrid Analysis (https://www.hybrid-analysis.com/)

6. Check Sender Reputation

• Look up the sender's email address and IP address for past malicious activity.
• Use:
o EmailRep
o Talos Intelligence
o IPVoid

7. Correlate with Logs and Alerts

• Cross-reference with firewall, proxy, or SIEM logs for related alerts.


• Look for connections from suspicious IPs or repeated login attempts.

8. Report Findings & Take Action

• Document suspicious indicators (IOCs) found in the analysis.


• Block malicious IPs, URLs, or email addresses on email gateways/firewalls.
• Notify affected users and recommend password resets or MFA enablement
Suspicious emails by sender :
What It Shows:
A bar chart or table in Splunk visualizing the count of emails flagged as suspicious, grouped
by the sender's email address.

Why It’s Important:

• Helps identify which senders are repeatedly trying to deliver phishing emails.
• Makes it easy to block or investigate users with high volumes of suspicious activity.
• Supports email gateway policy improvements (e.g., blacklisting).

Based on SPL Query:

spl
CopyEdit
index=email_logs subject="*password*" OR attachment="*.exe"
| stats count by sender


🖼️ Suspicious Attachments (.exe Files)

What It Shows:
A visualization listing email attachments (like .exe, .js, .docm) that are often used to
deliver malware.

Why It’s Important:

• Shows dangerous file types that can infect user systems if opened.
• Helps SOC teams prioritize alerts based on malicious attachment types.
• Drives decisions to quarantine or automatically block such files.

Based on SPL Query:

spl
CopyEdit
index=email_logs attachment="*.exe"

| stats count by sender, recipient, attachment


Phishing Email Subjects Detected

What It Shows:
Lists or visualizes email subjects that contain suspicious keywords like “password,”
“urgent,” “click here,” etc.

Why It’s Important:

• Common phishing tactics often involve emotionally triggering subjects.


• Helps build a keyword detection rule set to flag new phishing attempts.
• Useful for training ML-based phishing detection systems.

Based on SPL Query:

spl
CopyEdit
index=email_logs subject="*password*" OR subject="*urgent*" OR
subject="*click*"
| stats count by subject


• Project Deliverables:

• Dashboard visualizations
• Suspicious Email Report

You might also like