This project simulates a real-world phishing investigation from a Security Operations Center (SOC) perspective. The objective was to analyze suspicious domains, extract Indicators of Compromise (IOCs), validate malicious infrastructure, and document escalation-ready findings aligned with threat intelligence workflows.

The investigation focused on domain analysis, OSINT-based intelligence gathering, and structured IOC documentation to support incident response and defensive actions.

This lab demonstrates practical phishing threat analysis using open-source intelligence (OSINT) techniques and security investigation methodologies.

The objectives were to:

• Analyze suspicious domains and URLs
• Perform WHOIS and DNS intelligence gathering
• Identify malicious Indicators of Compromise (IOCs)
• Validate domain reputation using threat intelligence sources
• Document structured investigation workflow
• Recommend defensive mitigation strategies

• Reviewed suspicious URL/domain structure
• Checked for typosquatting or brand impersonation
• Identified suspicious TLD usage and domain patterns

Performed WHOIS lookups to extract:

• Domain creation date
• Registrar information
• Registrant details (if available)
• Hosting provider
• Name server information

Indicators of malicious intent included:

• Recently registered domains
• Privacy-shielded registrant details
• Inconsistent geographic hosting patterns

Investigated:

• A records (IP mapping)
• MX records (mail server configuration)
• NS records (name servers)
• Hosting ASN

This helped identify potential malicious hosting infrastructure and shared attacker environments.

Cross-referenced domain and IP reputation using:

• VirusTotal
• AbuseIPDB
• PhishTank alternatives
• Passive DNS lookups
• Public threat intelligence feeds

Findings included:

• Previously reported phishing activity
• Suspicious IP reputation scores
• Blacklist presence across security vendors

• Malicious domain(s)
• Associated IP address(es)
• Suspicious name servers
• Hosting ASN
• URL patterns used for credential harvesting

These IOCs can be ingested into SIEM tools for proactive monitoring and blocking.

The analyzed domain exhibited characteristics consistent with phishing infrastructure, including:

• Recent registration
• Reputation flags
• Credential harvesting patterns
• Infrastructure reuse indicators

The attack likely targeted user credential theft and potential account compromise.

Based on investigation findings:

• Block identified domains and IPs at firewall perimeter
• Add IOCs to SIEM watchlists for monitoring
• Enable phishing detection rules in email gateway
• Conduct user awareness communication if applicable
• Monitor for credential abuse attempts (MITRE T1078)

• T1566 – Phishing
• T1078 – Valid Accounts
• T1583 – Acquire Infrastructure
• T1598 – Phishing for Information

• Phishing investigation methodology
• OSINT-based threat intelligence analysis
• IOC extraction and validation
• Domain & DNS intelligence analysis
• Reputation analysis using threat feeds
• Structured SOC documentation workflow

• Automate IOC ingestion into SIEM
• Build phishing detection correlation rules
• Develop Python-based domain enrichment script
• Integrate API-based threat intelligence feeds

Ansuman Vadapalli GitHub: https://github.com/Anshu-soc LinkedIn: https://www.linkedin.com/in/ansuman-vadapalli-9526823b0/