July 4, 2026
Investigating a Phishing Email Like a SOC Analyst — Part 1: Email Header Analysis
Introduction
By Najeebparkar
3 min read
Introduction
Phishing emails remain one of the most common initial attack vectors used by cybercriminals. A single malicious email can lead to credential theft, malware infections, ransomware deployment, or even full network compromise.
I have 4 emails, my goal is to indentify whether email is a phishing attempt or a legit email, every email targets a different domain, first is email header analysis:
When a suspicious email is reported, the first thing a SOC analyst examines is the email header.
Unlike the email body, which attackers can easily manipulate, headers contain technical metadata that reveals how the email actually traveled across the Internet.
In this investigation, I analyzed a suspicious banking email using a structured methodology similar to what many SOC teams follow during phishing investigations.
Step 1 — Reviewing Basic Header Information
The first step was identifying the sender information.
From:
CIBC-Banking.Service.Email.8@caib.comFrom:
CIBC-Banking.Service.Email.8@caib.comAt first glance this appears convincing because the display name references CIBC Banking.
However, SOC analysts never trust the display name.
The actual domain is what matters.
Step 2 — Verifying the Sender Domain
The sender claimed to represent CIBC Bank.
The official domain used by CIBC is:
The email instead originated from:
Although the names appear visually similar, they are completely different domains.
This is a classic example of domain spoofing or look-alike domain abuse, where attackers register domains that resemble trusted organizations in an attempt to deceive recipients.
At this point, the email already appeared highly suspicious.
Step 3— Investigating the Sender IP Address
The next step was identifying the sending server.
Sender IP:
190.6.201.67Sender IP:
190.6.201.67Using an IP reputation lookup service called "Whois lookup", I identified the source.
The IP resolved to:
- Country: Honduras
- City: Tegucigalpa
- ISP: Cablecolor S.A.
- ASN: AS27884
This finding raised another red flag.
CIBC is a Canadian financial institution, so receiving an official banking notification from infrastructure located in Honduras is highly unusual.
Also i found that no CIBC bank exists in honduras.
Although companies sometimes use third-party email providers, financial institutions generally send emails from trusted infrastructure or reputable cloud email services — not from unrelated networks in foreign countries.
Step 54— Verifying SPF Authentication
One of the most important checks during header analysis is SPF (Sender Policy Framework).
The header contained:
spf=failspf=failIt also included:
Received-SPF: FailReceived-SPF: FailSPF is an email authentication mechanism that specifies which mail servers are authorized to send emails on behalf of a domain.
An SPF failure means the sending server was not authorized to send emails for that domain.
For SOC analysts, SPF failures are a strong indicator of phishing or sender spoofing.
Step 5— Decision-making and reporting
Evidence Collected
During the investigation, I identified several independent indicators of compromise.
Each individual indicator increased the likelihood of phishing.
When considered together, they provided strong evidence that the email was malicious.
Final Verdict
Based on the collected evidence, I classified the email as a phishing attempt.
The investigation revealed multiple independent indicators that confirmed the sender was attempting to impersonate a trusted financial institution.
No single indicator alone was used to make the decision.
Instead, the conclusion was based on a combination of:
- Sender domain verification
- Return-Path analysis
- IP reputation lookup
- SPF validation
- Contextual analysis of the email subject
This layered approach reflects how phishing investigations are typically conducted in a Security Operations Center.
Here is how i report my analysis:
Its a pdf, but i didn't see any option in medium to upload a pdf in an article so i put screenshots of pages.
In next part, i will perform email attachment analysis , stay tuned.