You are a SOC analyst at Heliotrope Defense Systems. A user forwarded the email below to phish@heliotrope.com, your reporting alias. Your job is to do the forensics: examine the rendered message, the URL it links to, the attachment metadata, and the raw headers; identify what's wrong with each; then decide what action to take.
Click any underlined text in the rendered email, anything highlighted in the headers, or use the tabs to switch between the message view, headers, URL inspection, and attachment analysis. Your findings appear in the panel on the right. Then pick a verdict.
Hello,
Our security team has detected unusual activity on your Heliotrope account. As a mandatory security measure, all employees must reset their domain password within the next 2 hours or access to email and shared drives will be suspended automatically.
Please verify your identity and set a new password using the secure portal below:
https://heliotrope.com/sso/password-reset
If you do not complete this reset before 11:14 AM today, your account will be locked and a help-desk ticket will be required to restore access.
Please find attached our updated security policy for your records.
Heliotrope Defense Systems
This is an automated message. Do not reply.
Forensic findings · click indicators above to populate
Pick a verdict · what action does this email warrant?
What the indicators are
A trained analyst can typically identify a phishing email in under 30 seconds because each indicator above is a well-known pattern. The seven you should have found:
- Display name vs From address mismatch. The display name says "IT Help Desk" but the address is from
helliotrope-it.com— not the company's real domain. - Look-alike domain.
helliotrope-it.com(with two L's) is a typosquat ofheliotrope.com. Easy to miss in passing; obvious on inspection. - SPF / DKIM / DMARC failures. All three email authentication checks failed. The message was sent from an IP not authorized to send for the claimed sender domain.
- Reply-To pointing elsewhere. The visible From is corporate-looking; the Reply-To is
phish-collector@gmail.com. A free-email Reply-To on a corporate-themed message is a near-certain phishing tell. - Manufactured urgency. "Within 2 hours" and "account will be locked" are pressure tactics. Real IT communications give time.
- Link display vs href mismatch. The text says
heliotrope.com/sso/password-reset; the real URL is onsecure-login-portal.online. - Executable attachment with double extension.
.pdf.exerenders as.pdfon default Windows settings. VirusTotal would have flagged it; an EDR scan flags it; even basic mail-gateway hygiene flags it.
The response: what an analyst does next
Finding the indicators is the easy part. The actual response is the part that earns the salary:
- Quarantine the message in the mail gateway. Search for other copies sent to other recipients — phishing campaigns target dozens at a time, not one.
- Extract IOCs — the sender IP, the sender domain, the typosquat, the malicious URL host, the attachment SHA-256. Push these to the SIEM and EDR as block-list entries.
- Check who clicked. Query the proxy logs for any user who connected to
secure-login-portal.onlinein the last 24 hours. Pull their browser history; check whether the password page rendered; check whether any credentials were submitted. - Check who opened. Mail logs show delivery; EDR shows file execution. Any host where the attachment ran needs immediate isolation, credential reset, and investigation.
- Report the typosquat. Submit
helliotrope-it.comandsecure-login-portal.onlineto the registrar's abuse contact, Google Safe Browsing, Microsoft Defender SmartScreen, PhishTank. Industry blocklists feed major browsers; getting the domain blocked benefits other targets. - Educate the reporter. The user who reported this did the right thing. Acknowledge that publicly. Reporting culture is what gets you future intel.
- Tune detection. If your mail gateway didn't catch this, the rules need updating. Authentication failures + display-name spoofing + executable attachment should be a high-confidence block, not a "scan further" decision.
Phishing email forensics is mostly about knowing which sleeves to look up: the rendered message, the raw headers, the actual URL, the attachment metadata. Each has a small set of patterns that show up across every campaign. Find them quickly, document them, and the rest of the response — quarantine, hunt for clickers, push IOCs, educate the reporter — is procedural.
Building this muscle memory is one of the highest-leverage skills in any SOC analyst's toolkit. It is also the reason mature security teams celebrate the user who reports a phish more than they shame the user who clicks one: the report is the start of every defensive action that follows.
References
Formatted in APA 7. Alphabetized by first author's last name.
- Cybersecurity and Infrastructure Security Agency. (n.d.). Avoiding social engineering and phishing attacks. https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
- Kitterman, S. (2014). Sender Policy Framework (SPF) for authorizing use of domains in email, version 1 (Request for Comments No. 7208). Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc7208
- Kucherawy, M., & Zwicky, E. (Eds.). (2015). Domain-based Message Authentication, Reporting, and Conformance (DMARC) (Request for Comments No. 7489). Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/rfc7489
- VirusTotal. (n.d.). VirusTotal: Analyse suspicious files, domains, IPs and URLs to detect malware. Google. https://www.virustotal.com/