⚠ SECURITY INCIDENT DETECTED
IR-01
INCIDENT RESPONSE — PHISHING TRIAGE
SUSPICIOUS EMAIL REPORTED BY EMPLOYEE · TICKET #IR-2026-0441
Loading email artifacts...

OBJECTIVES

Read the incident ticket
Identify the spoofed sender address
Analyze full email headers
Check SPF / DKIM / DMARC results
Inspect the suspicious URL
Look up sending IP in threat intel
Identify the malicious attachment type
Run whois / dig on the phishing domain
Submit the IR report
📧
Email Client
🔬
Header Analyzer
🔗
URL Inspector
🛡️
Threat Intel
💻
Terminal
📝
Notepad
📋
IR Report
SOC ANALYST
Email
Headers
URL Inspector
Threat Intel
Terminal
Notepad
IR Report
--:--:--
PHASE 1 — TRIAGE
INCIDENT BRIEF
⚠ ACTIVE INCIDENT — TICKET #IR-2026-0441

PHISHING TRIAGE

REPORTED BY: [email protected] · 09:14 UTC

INCIDENT SUMMARY

Employee Sarah Miller (Finance Dept.) forwarded a suspicious email she received at 09:12 UTC today. She reported that it appeared to be from Microsoft IT Security but something felt "off" about the link. She did not click the link and did not open the attachment. The email has been quarantined pending your analysis.

YOUR ROLE

You are the on-call SOC analyst. You must triage this email, identify all Indicators of Compromise (IOCs), determine whether it is a phishing attempt, and complete an Incident Response report for escalation.

TOOLS AVAILABLE

ToolPurpose
Email ClientView the suspicious email + full headers
Header AnalyzerParse and flag suspicious header fields
URL InspectorSafely detonate and analyze links
Threat IntelLook up IPs and domains against threat feeds
Terminalwhois, dig, nslookup on suspicious domains
IR ReportDocument findings and recommend actions

WHAT TO LOOK FOR

  • Sender address vs display name mismatch
  • Suspicious sending IP / SPF fail
  • Failed DKIM / DMARC authentication
  • Lookalike / punycode domains in links
  • Macro-enabled or dangerous attachments
  • Urgency language and impersonation tactics
APEXCORP MAIL — [email protected]
EMAIL HEADER ANALYZER
PASTE EMAIL HEADERS OR USE QUICK ANALYZE
No headers loaded yet.
Click "Quick Analyze" to analyze the phishing email,
or paste raw headers and click "Analyze".
URL INSPECTOR — SAFE SANDBOX
ENTER URL TO INSPECT (SAFELY SANDBOXED)
Enter a URL from the phishing email to inspect it safely.

Tip: Copy the link from the email body.
THREAT INTELLIGENCE — IOC LOOKUP
LOOK UP IP, DOMAIN, OR HASH
Enter an IP address, domain, or file hash
to query threat intelligence feeds.
TERMINAL — analyst@soc-ws-01:~$
analyst@soc-ws-01:~$ # IR Terminal — whois, dig, nslookup available
analyst@soc-ws-01:~$ # Type "help" for commands
analyst@soc-ws-01:~$
NOTEPAD — IR SCRATCHPAD
IR REPORT — TICKET #IR-2026-0441
EMAIL CLASSIFICATION
SENDER ANALYSIS
IOC SUMMARY
RECOMMENDED ACTIONS
Score: 0 / 8