📧 Email Triage Cheat Sheet
Quick reference for writing SOC email triage reports. Work through each section top to bottom.
⚠️ Blocking Warning
Before blocking IP addresses, remember: shared infrastructure like Gmail, Outlook/Microsoft 365, AWS, Azure, and Google Cloud is used by many legitimate services. Blocking their IPs can break business tools.
Prefer blocking these instead (more precise):
- Sender email address / domain
Reply-Toaddress- Full URL(s) and domain(s)
- Attachment SHA256 (and optionally MD5/SHA1)
1) Email Description and Artefacts Collected
What this section is for:
Summarise what the email claims to be and list the key artifacts you collected.
Ask yourself:
- Who sent it, and who received it?
- What does the email claim to be (invoice, password reset, tax notice, delivery notice)?
- Does the sender address match the display name and claimed org/domain?
- Are there attachments, links, or embedded images?
- Do I have raw headers /
.emlto support my notes?
Key artifacts to collect (most useful):
- Email details: From, To, Subject, Date/Time (timezone)
- Addresses: From and Reply-To (if present)
- Headers / source: full headers (
.eml),Message-ID,Received,X-Sender-IP/X-Originating-IP(if present),Authentication-Results(SPF/DKIM/DMARC) - Web: full URL(s) + domain(s)
- Attachments: filename(s), size(s), hashes (SHA256 first; MD5/SHA1 optional)
- Evidence: screenshot(s) of the email (UI view)
Sentence starters:
- “A suspicious email was received by [user/mailbox] on [date/time], purportedly from [sender/display name], requesting [action].”
- “Artifacts collected for analysis include [headers/source], [URL(s)/domain(s)], and [attachment metadata + SHA256].”
2) Artifact Analysis
What this section is for:
Record what you found when you checked each artifact (headers, URLs, attachment, infrastructure).
Ask yourself:
- Do any URLs redirect to unexpected destinations?
- Do reputation tools flag the domain/URL/hash?
- Does the email pass SPF/DKIM/DMARC?
- Is the attachment type suspicious for the context (unexpected PDF/HTML/ZIP)?
- Are there impersonation signs (typosquatting, urgency, lookalike branding)?
Key checks (keep it tight):
- URL/domain reputation: URLScan.io, VirusTotal, Google Safe Browsing
- File hash reputation: VirusTotal, MalwareBazaar (if allowed)
- Header auth: SPF / DKIM / DMARC (from
Authentication-Results) - Sender infrastructure: reverse DNS + WHOIS for sender IP (context only; not a “safe” indicator)
- Sandbox results for attachments (only if policy allows)
Sentence starters:
- “Analysis of the URL [url] using [tool] returned [result], indicating [finding].”
- “The attachment [filename] (SHA256: [hash]) was checked in [tool] and returned [clean/suspicious/unknown].”
- “Header authentication results were SPF=[pass/fail], DKIM=[pass/fail], DMARC=[pass/fail].”
3) Suggested Defensive Measures
What this section is for:
Recommend containment and prevention actions based on the findings.
Ask yourself:
- Did any user click the link or open/run the attachment?
- Should we block the sender/domain/URL?
- Should we pull the email from other mailboxes?
- Do we need endpoint review (EDR alerts, downloads, execution)?
- Does this match a known campaign with more IOCs?
Common actions to recommend:
- Block sender address / domain / URL (avoid broad shared IP blocks)
- Pull/quarantine the email from affected mailboxes
- If credentials were entered: password reset + session/token revocation
- If attachment executed: escalate to IR and review endpoint telemetry
- Add IOCs (domain/URL/hash) to SIEM / threat intel / detections
Sentence starters:
- “Recommend blocking [domain/url/sender] at the email gateway and web filtering controls due to confirmed malicious use.”
- “If any user clicked the link or submitted credentials, initiate password reset and session revocation immediately.”
- “If the attachment was executed, escalate to IR and perform endpoint triage on affected hosts.”
Keep this file handy during triage. Update it as your environment, tools, or reporting format changes.