Breaking into cybersecurity? Train with real threats. Each week, we break a current cyber threat into SOC-ready skills—complete with analysis challenges.
How It Works
We pick a relevant threat from the latest Weekly Cyber Update
Turn it into hands-on SOC analysis
Challenge you to apply them (see below!)
Your Blue Team Skill Focus: Mastering Phishing Detection
Phishing is one of the most common—and dangerous—ways hackers get into systems. It happens when attackers send fake emails or texts that look real to trick people into clicking harmful links or sharing sensitive information like passwords or payment details.
This week, you’ll learn how to spot the signs, analyze suspicious messages, and respond like a SOC analyst—using real phishing threats seen in the wild.
Real Threats in the Wild: Recent Phishing Incidents
What Happened:
Phishing attacks surged this week across multiple sectors, showing just how convincing these scams have become:
Headline Incidents
Business: Fake DocuSign emails, where clicking a seemingly innocent link would redirect users to a fraudulent Google login page, stealing their usernames and passwords. (Malwarebytes)
Healthcare: Criminals have been impersonating legitimate insurance companies through emails and texts, trying to trick people into sharing private medical and payment details. (The Register)
Travel: Scattered Spider group has been using social engineering to impersonate airline staff via emails and calls to steal sensitive information.
(The Hacker News)
These incidents prove that phishing today isn’t obvious or sloppy — it’s polished, targeted, and often hosted on trusted platforms. As a blue teamer, spotting these scams early is one of the most valuable skills you can build.
SOC Skill Drill: Identifying and Analyzing Phishing Attacks
Why It Matters
Phishing is the #1 way hackers sneak into systems, and SOC analysts are often the first to check if a message is safe. Catching these scams early stops data theft and protects your company. This skill is a daily must for new analysts.
Analyst Workflow: Step-by-Step
SOC Analyst Workflow: Phishing Analysis
- Sender Verification
- Check the “From” field: Compare to known legitimate addresses.
Legit:
[email protected]
Suspicious:
[email protected]
(character substitution) - View full headers: Look for mismatches between
Return-Path
(the actual email address the message came from) and the displayedFrom
address. Mismatches indicate the sender might be faking their identity (spoofing).
- Check the “From” field: Compare to known legitimate addresses.
- Link Examination
- Hover preview: Check the bottom-left browser corner for the true destination URL before clicking.
Safe:
https://www.docusign.com/secure
Risky:
https://docusign-review.webflow.io
(unofficial domain; beware of slight misspellings or extra words) - Verify domains: Use online tools like VirusTotal (an online service that scans links and files for known threats) to check the reputation of suspicious URLs.
- Hover preview: Check the bottom-left browser corner for the true destination URL before clicking.
- Content Analysis
- Urgency indicators:
“Immediate action required!”
“Your account will be suspended if you don’t click now.”
- Language cues:
Generic greetings (“Dear User,” “Dear Customer”)
Poor grammar, unusual phrasing, or spelling mistakes.
- Unusual requests: Be wary of requests for sensitive information (passwords, credit card numbers) that seem out of place for the context.
- Urgency indicators:
- Authentication Checks
- SPF/DKIM/DMARC: These are technical security checks that email systems use to verify if an email really came from where it says it did. Use an email header analyzer (like Google’s MessageHeader, or a built-in feature in your email client) to see if these checks passed. If they fail, it’s a strong sign the email is fake.
- Independent Verification
- If the message claims to be from a company, always find their official contact info independently. Type their known website address directly into your browser (do NOT click a link in the suspicious message) and then use their official contact details (phone number, support email) to confirm the message’s legitimacy. Never reply directly to the suspicious message.
- Report Findings
- Document all identified red flags, analysis notes, and any relevant Indicators of Compromise (IOCs) (pieces of data like suspicious URLs or email addresses that show a system might be compromised) for your SOC ticket or internal report.
Pro Tip: Bookmark the CISA Phishing Infographics for quick reference.
Tool of the Week: VirusTotal
VirusTotal is a free tool that checks if URLs or files are harmful. Paste a link—like docusign-review.webflow.io
—to see if it’s a phishing scam without clicking it. SOC analysts use it daily to safely analyze suspicious links.
Why It’s Perfect for This Threat
- Free and easy—no setup needed.
- Shows clear warnings if a link is dangerous.
- Helps you complete the challenge’s “Analyze the Link” task.
Quick Start:
- Go to virustotal.com
- Paste any suspicious link
- Check the “Community” tab for analyst insights
Pro Tip: Paste the challenge’s URL into VirusTotal and check for warnings like “phishing” to spot scams fast.
SOC Challenge: Apply What You’ve Learned
Scenario: You’re the on-call analyst investigating a reported DocuSign phishing attempt
Your Tasks:
Check the Sender for fake email addresses (e.g., @docus1gn.com).
Analyze the Link to spot suspicious domains.
Spot Red Flags in the message’s urgent or odd wording.
Test Your Knowledge with SOC questions on auth checks, CAPTCHAs, and response steps.
What You Get?
✓ Expert feedback from active SOC professionals
✓ Featured spot in our newsletter
✓ Earn badges to showcase your skills
✓ Real-world prep using current threat intelligence
30-60 min → Lifetime skills
Let’s Talk About It!
You’ve tackled phishing scams and built a key SOC skill. Share your insights to help us all grow as cyber defenders!
- What’s one clue in an email or text (like a typo or weird link) that makes you think, “This is fake”? Share an example!
- What’s a sneaky trick hackers used in these phishing stories that surprised you?
- Have you spotted a phishing scam in real life? What tipped you off?
Jump into the comments below and share your thoughts!
Mini Cyber Glossary
Looking for more terms? We’ve got a full thread now → Full Cybersecurity Glossary
Term | Meaning |
---|---|
Phishing | A fake message designed to trick you into clicking a link or giving information |
Email Header | The behind-the-scenes details of an email, showing who really sent it |
Sandbox | A secure environment where malware can be tested without harming your system |
Botnet | A group of infected computers controlled by hackers, often used to attack other systems |
DDoS | A cyberattack that floods a service with traffic to take it offline (Distributed Denial of Service) |
Incident Response (IR) | The process of identifying, containing, and recovering from a cyberattack |
Don’t miss out — Join the Newsletter
Want the next labs, skill breakdown, solutions, and summit picks in your inbox?
Join the Crushing Security Newsletter
Got Questions or Tips?
Reply below or visit the feedback page to help shape the next update!
Tags: phishing, malware, blue-team, incident-response, network-analysis, soc-skills, beginner-cybersecurity