Email Analysis: Best Practices for Blue Teamers

The author seeks advice from fellow "blue teamers" on the steps to take when a client requests an email analysis. They describe their usual procedure, which includes checking headers, reply-to addresses, SPF, DMARC, DKIM, and examining links and attachments. In cases of obvious phishing, they follow the links in a controlled environment, sometimes test with a fake password, and try to determine if the attack is targeted or general. They also check if other users have received similar emails and provide a report with a list of domains and IOCs to block.