Phishing Email Detection Using Splunk – SOC Project

Listen to this Post

Featured Image
Phishing remains one of the most prevalent cyber threats, and detecting malicious emails is crucial for Security Operations Centers (SOCs). Splunk, a powerful SIEM tool, can be leveraged to analyze email logs, identify phishing attempts, and mitigate risks. Below is a detailed guide on implementing phishing email detection using Splunk.

You Should Know:

1. Setting Up Splunk for Email Log Analysis

Before detecting phishing emails, ensure Splunk is configured to ingest email logs (e.g., from Microsoft 365, Exchange, or SMTP servers).

Key Commands & Steps:

  • Ingest Email Logs:
    Configure Splunk to monitor email logs 
    /opt/splunk/bin/splunk add monitor /var/log/mail.log -index email_logs -sourcetype mail_log 
    

  • Verify Data Ingestion:

    Check if logs are being indexed 
    index=email_logs | head 10 
    

2. Detecting Phishing Indicators

Phishing emails often contain suspicious links, attachments, or sender addresses. Use Splunk queries to flag these indicators.

Example SPL (Splunk Query Language) Queries:

  • Detect Suspicious Links:
    index=email_logs 
    | regex url="(http:\/\/|https:\/\/)?(www.)?(phishy|malicious|xyz).(com|net|org)" 
    | table _time, sender, recipient, url 
    

  • Identify Unusual Sender Domains:

    index=email_logs 
    | stats count by sender 
    | where count > 10 
    | eval domain=mvindex(split(sender, "@"), 1) 
    | stats count by domain 
    | sort -count 
    

  • Flag Executable Attachments:

    index=email_logs 
    | search attachment=".exe OR .bat OR .ps1" 
    | table _time, sender, recipient, attachment 
    

3. Automating Alerts in Splunk

Create real-time alerts for SOC teams to respond quickly.

Steps to Set Up Alerts:

  1. Navigate to Alerts → New Alert in Splunk.
  2. Define the search query (e.g., index=email_logs | search attachment=".exe").

3. Set trigger condition: “Run every 5 minutes”.

4. Configure actions: Email notification / SIEM integration.

What Undercode Say:

Phishing attacks are evolving, and automated detection using Splunk enhances SOC efficiency. Key takeaways:
– Monitor email logs in real-time.
– Use regex and SPL to detect anomalies.
– Automate alerts for rapid response.

Additional Useful Commands:

  • Extract URLs from Logs (Linux):
    grep -Eo '(http|https)://[^/"]+' /var/log/mail.log | sort | uniq -c 
    

  • Check Suspicious Domains with dig:

    dig +short suspicious-domain.com 
    

  • Analyze Attachments with `file` Command:

    file phishing-attachment.exe 
    

  • Windows PowerShell Email Log Analysis:

    Get-EventLog -LogName "Application" -Source "SMTP" | Where-Object { $_.Message -match "phish" } 
    

Expected Output:

A Splunk dashboard displaying:

  • Top phishing email senders.
  • Frequency of malicious attachments.
  • Real-time alerts for SOC action.

Prediction:

AI-driven phishing attacks will increase, requiring advanced Splunk ML integrations for better detection.

(Relevant URL: Splunk Phishing Detection Guide)

IT/Security Reporter URL:

Reported By: Shihab Hossen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram