Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Email Telemetry Investigations

Email Telemetry Investigations

Investigate phishing and email threats using headers, authentication results, and link analysis.

Last updated: February 2026

Purpose and Scope

Email remains the most common initial access vector for attackers. This playbook covers investigation techniques using email telemetry including message headers, authentication results (SPF, DKIM, DMARC), and embedded link analysis to identify and triage phishing campaigns.

Prerequisites

  • Email gateway logs: Access to logs from your mail transfer agent, secure email gateway, or cloud email platform
  • Header visibility: Ability to retrieve full email headers for suspicious messages
  • Authentication result logs: SPF, DKIM, and DMARC verdicts for inbound mail
  • URL analysis tools: Access to urlscan.io, VirusTotal, or similar services
  • Threat intelligence feeds: Domain and IP reputation data

Detection Goals

Use email telemetry to identify:

  • Spoofed sender addresses impersonating trusted domains
  • Credential harvesting links targeting your users
  • Business email compromise (BEC) patterns
  • Malicious attachments and weaponized documents
  • Compromised internal accounts sending phishing internally
  • Campaign patterns across multiple recipients

Key Data Fields

Message Headers

  • From: Display name and address shown to recipient
  • Return-Path / Envelope-From: Actual sender for bounces
  • Reply-To: Address used when recipient replies (often different in phishing)
  • Received: Chain of mail servers showing message path
  • Message-ID: Unique identifier for correlation
  • X-Originating-IP: Original sender IP (when available)

Authentication Results

  • SPF (Sender Policy Framework): Validates sending IP is authorized for the domain
  • DKIM (DomainKeys Identified Mail): Cryptographic signature verifying message integrity
  • DMARC (Domain Message Authentication Reporting): Policy combining SPF and DKIM alignment
  • Authentication-Results header: Combined verdict from receiving mail server

Investigation Workflow

1. Analyze the Reported Message

When investigating a suspected phish:

  1. Retrieve full message headers (not just visible headers)
  2. Extract and document the From, Return-Path, and Reply-To addresses
  3. Note any display name spoofing (From name vs. From address mismatch)
  4. Check authentication results for SPF, DKIM, and DMARC

2. Evaluate Authentication Results

Authentication failures are common in phishing:

  • SPF fail: Sending server not authorized for claimed domain
  • DKIM fail: Message was modified or signature forged
  • DMARC fail: Neither SPF nor DKIM align with From domain
  • All pass but look-alike domain: Attacker owns a similar domain with valid auth

Note that pass results do not guarantee legitimacy. Attackers can set up valid SPF, DKIM, and DMARC for domains they control.

3. Trace the Delivery Path

Read Received headers from bottom to top to trace message routing:

  • Identify the originating mail server
  • Note any intermediate relays
  • Check for IP addresses that do not match expected infrastructure
  • Lookup originating IPs for reputation and geolocation

4. Analyze Embedded Links

For URLs in the message body:

  • Extract all unique URLs (including href vs. display text mismatches)
  • Check for URL shorteners or redirects
  • Submit to urlscan.io to see landing page without visiting
  • Check domain registration date (newly registered domains are suspicious)
  • Query threat intelligence for domain and IP reputation

5. Determine Campaign Scope

Search your email logs to answer:

  • How many users received this message or variants?
  • Who clicked the link (if URL rewriting/click tracking is enabled)?
  • Are there messages with the same sender, subject pattern, or URLs?
  • What time range did the campaign span?

Hunting Queries

SPF and DMARC Failures

Splunk (O365/Exchange):

index=email sourcetype=o365:messageTrace
| where spf_result="fail" OR dmarc_result="fail"
| stats count by sender_domain, spf_result, dmarc_result
| sort -count

Display Name Spoofing

Look for external senders using internal display names:

index=email direction=inbound
| where NOT match(sender_address, "@yourdomain\.com$")
| search sender_display_name IN ("CEO Name", "CFO Name", "IT Support")
| table _time, sender_address, sender_display_name, recipient, subject

Reply-To Mismatch

index=email direction=inbound
| where reply_to != sender_address AND isnotnull(reply_to)
| stats count by sender_address, reply_to
| where count > 1

Newly Registered Sender Domains

Correlate with WHOIS data or domain age enrichment:

index=email direction=inbound
| rex field=sender_address "@(?[^>]+)"
| lookup domain_whois domain as sender_domain OUTPUT creation_date
| where creation_date > relative_time(now(), "-30d")
| table sender_domain, creation_date, recipient, subject

BEC Pattern Detection

Business email compromise often exhibits:

  • Urgency in subject or body ("urgent wire transfer", "immediate action")
  • Executive impersonation via display name
  • Reply-To pointing to attacker controlled address
  • Requests for sensitive data, payments, or credential entry
  • Simple text body (no images or formatting) to evade content filtering

Compromised Internal Account Detection

Signs of internal account compromise for phishing:

  • Sudden spike in sent messages from one account
  • Messages to many recipients with links or attachments
  • Sending activity during unusual hours
  • Messages with subjects unrelated to normal job function
  • Inbox rules forwarding messages externally

Validation and False Positives

  • Legitimate bulk senders: Marketing platforms may have different auth alignment
  • Forwarded messages: SPF can fail on forwarded mail
  • Mailing lists: Headers are modified breaking DKIM
  • Shared services: SaaS platforms sending on behalf of users

Cross reference with user confirmation and business context before concluding malicious intent.

Escalation Guidance

Escalate to incident response when:

  • User confirmed clicking link and entering credentials
  • Multiple users received and interacted with the same campaign
  • Message contained malicious attachment that was opened
  • Evidence of account compromise (forwarding rules, suspicious sign ins)
  • BEC attempt targeting financial transactions

Response Actions

  • Block sender address and domain at email gateway
  • Purge remaining copies from user mailboxes
  • Add malicious URLs to proxy blocklist
  • Force password reset for users who entered credentials
  • Review sign in logs for compromised accounts
  • Notify affected users with guidance

References

  • MITRE ATT&CK: Phishing (T1566)
  • MITRE ATT&CK: Phishing for Information (T1598)
  • RFC 7208: SPF
  • RFC 6376: DKIM
  • RFC 7489: DMARC
  • CISA: Business Email Compromise guidance
  • Microsoft: Investigating malicious email

Previous

Proxy and Firewall Analysis

Next

C2 and Beaconing Detection

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ