Today, I was tasked to investigate an email that was flagged as malicious by Microsoft Defender. In theory, it's simple to verify, but what and how much evidence should I use to present it as legitimate to the boss and customer? As such, having wasted time thinking about this, I will prepare a series of general useful checkpoints for common or stereotypical scenarios which I can use in the future.
| Is the sender domain legitimate? | |
| Are the DMARC, DKIM and SPF valid? | |
Are there attachments?
| |
Are there links or calls to action in the email?
| |
| Is the email expected? |
Containment and Response
Block Sender or Domain:
- If confirmed malicious, blacklist the sender or domain.
- Update email filters to prevent similar threats if possible.
Notify Affected Users:
- Inform employees who received or interacted with the email to avoid further exposure.
- Provide guidance on what actions to take, such as resetting credentials.
Investigate User Activity:
- Check if any user clicked a link, opened an attachment, or provided sensitive information.
- If compromised, isolate affected devices and accounts.
