🛡️ Real Threats → Real SOC Skills: Vol. 1 - Phishing Detection

Breaking into cybersecurity? Train with real threats. Each week, we break a current cyber threat into SOC-ready skills—complete with analysis challenges.

:link: How It Works

:one: We pick a relevant threat from the latest Weekly Cyber Update
:two: Turn it into hands-on SOC analysis
:three: Challenge you to apply them (see below!)


:magnifying_glass_tilted_right: Your Blue Team Skill Focus: Mastering Phishing Detection

Phishing is one of the most common—and dangerous—ways hackers get into systems. It happens when attackers send fake emails or texts that look real to trick people into clicking harmful links or sharing sensitive information like passwords or payment details.

This week, you’ll learn how to spot the signs, analyze suspicious messages, and respond like a SOC analyst—using real phishing threats seen in the wild.


:police_car_light: Real Threats in the Wild: Recent Phishing Incidents

:magnifying_glass_tilted_left: What Happened:
Phishing attacks surged this week across multiple sectors, showing just how convincing these scams have become:

:newspaper: Headline Incidents

  • :receipt: Business: Fake DocuSign emails, where clicking a seemingly innocent link would redirect users to a fraudulent Google login page, stealing their usernames and passwords. (Malwarebytes)
  • :hospital: Healthcare: Criminals have been impersonating legitimate insurance companies through emails and texts, trying to trick people into sharing private medical and payment details. (The Register)
  • :airplane: Travel: Scattered Spider group has been using social engineering to impersonate airline staff via emails and calls to steal sensitive information.
    (The Hacker News)

These incidents prove that phishing today isn’t obvious or sloppy — it’s polished, targeted, and often hosted on trusted platforms. As a blue teamer, spotting these scams early is one of the most valuable skills you can build.


:shield: SOC Skill Drill: Identifying and Analyzing Phishing Attacks

:light_bulb: Why It Matters
Phishing is the #1 way hackers sneak into systems, and SOC analysts are often the first to check if a message is safe. Catching these scams early stops data theft and protects your company. This skill is a daily must for new analysts.

:white_check_mark: Analyst Workflow: Step-by-Step

:magnifying_glass_tilted_left: SOC Analyst Workflow: Phishing Analysis

  1. Sender Verification
    • Check the “From” field: Compare to known legitimate addresses.
      :white_check_mark: Legit: [email protected]
      :cross_mark: Suspicious: [email protected] (character substitution)
    • View full headers: Look for mismatches between Return-Path (the actual email address the message came from) and the displayed From address. Mismatches indicate the sender might be faking their identity (spoofing).
  2. Link Examination
    • Hover preview: Check the bottom-left browser corner for the true destination URL before clicking.
      :white_check_mark: Safe: https://www.docusign.com/secure
      :cross_mark: Risky: https://docusign-review.webflow.io (unofficial domain; beware of slight misspellings or extra words)
    • Verify domains: Use online tools like VirusTotal (an online service that scans links and files for known threats) to check the reputation of suspicious URLs.
  3. Content Analysis
    • Urgency indicators:
      :cross_mark: “Immediate action required!”
      :cross_mark: “Your account will be suspended if you don’t click now.”
    • Language cues:
      :cross_mark: Generic greetings (“Dear User,” “Dear Customer”)
      :cross_mark: Poor grammar, unusual phrasing, or spelling mistakes.
    • Unusual requests: Be wary of requests for sensitive information (passwords, credit card numbers) that seem out of place for the context.
  4. Authentication Checks
    • SPF/DKIM/DMARC: These are technical security checks that email systems use to verify if an email really came from where it says it did. Use an email header analyzer (like Google’s MessageHeader, or a built-in feature in your email client) to see if these checks passed. If they fail, it’s a strong sign the email is fake.
  5. Independent Verification
    • If the message claims to be from a company, always find their official contact info independently. Type their known website address directly into your browser (do NOT click a link in the suspicious message) and then use their official contact details (phone number, support email) to confirm the message’s legitimacy. Never reply directly to the suspicious message.
  6. Report Findings
    • Document all identified red flags, analysis notes, and any relevant Indicators of Compromise (IOCs) (pieces of data like suspicious URLs or email addresses that show a system might be compromised) for your SOC ticket or internal report.

:magnifying_glass_tilted_left: Pro Tip: Bookmark the CISA Phishing Infographics for quick reference.

:toolbox: Tool of the Week: VirusTotal

VirusTotal is a free tool that checks if URLs or files are harmful. Paste a link—like docusign-review.webflow.io—to see if it’s a phishing scam without clicking it. SOC analysts use it daily to safely analyze suspicious links.

Why It’s Perfect for This Threat

  • Free and easy—no setup needed.
  • Shows clear warnings if a link is dangerous.
  • Helps you complete the challenge’s “Analyze the Link” task.

Quick Start:

  1. Go to virustotal.com
  2. Paste any suspicious link
  3. Check the “Community” tab for analyst insights

Pro Tip: Paste the challenge’s URL into VirusTotal and check for warnings like “phishing” to spot scams fast.

:bullseye: SOC Challenge: Apply What You’ve Learned

:pushpin: Scenario: You’re the on-call analyst investigating a reported DocuSign phishing attempt

Your Tasks:
:one: Check the Sender for fake email addresses (e.g., @docus1gn.com).
:two: Analyze the Link to spot suspicious domains.
:three: Spot Red Flags in the message’s urgent or odd wording.
:four: Test Your Knowledge with SOC questions on auth checks, CAPTCHAs, and response steps.

:trophy: What You Get?
Expert feedback from active SOC professionals
Featured spot in our newsletter
Earn badges to showcase your skills
Real-world prep using current threat intelligence

:stopwatch: 30-60 minLifetime skills

Start Challenge!


:speech_balloon: Let’s Talk About It!

You’ve tackled phishing scams and built a key SOC skill. Share your insights to help us all grow as cyber defenders!

  • What’s one clue in an email or text (like a typo or weird link) that makes you think, “This is fake”? Share an example!
  • What’s a sneaky trick hackers used in these phishing stories that surprised you?
  • Have you spotted a phishing scam in real life? What tipped you off?

Jump into the comments below and share your thoughts! :down_arrow:


:blue_book: Mini Cyber Glossary

Looking for more terms? We’ve got a full thread now → Full Cybersecurity Glossary

Term Meaning
Phishing A fake message designed to trick you into clicking a link or giving information
Email Header The behind-the-scenes details of an email, showing who really sent it
Sandbox A secure environment where malware can be tested without harming your system
Botnet A group of infected computers controlled by hackers, often used to attack other systems
DDoS A cyberattack that floods a service with traffic to take it offline (Distributed Denial of Service)
Incident Response (IR) The process of identifying, containing, and recovering from a cyberattack

:bell: Don’t miss out — Join the Newsletter

Want the next labs, skill breakdown, solutions, and summit picks in your inbox?

:right_arrow: Join the Crushing Security Newsletter


:speech_balloon: Got Questions or Tips?

Reply below or visit the feedback page to help shape the next update!

Tags: phishing, malware, blue-team, incident-response, network-analysis, soc-skills, beginner-cybersecurity