Skip to content

A user reports a suspicious email. Walk me through how you triage it safely.

Short answer

Examine the email safely without clicking: check the headers and sender authentication (SPF/DKIM/DMARC), inspect URLs and attachments in a sandbox or with reputation tools, then scope it — who else received it, did anyone click or enter credentials. Based on findings, remediate by purging the email, blocking indicators, and resetting any exposed credentials.

Phishing is the most common initial-access vector, so phishing triage is daily SOC work. Interviewers ask this to check two things: that you investigate safely (no clicking live links), and that you think about scope, not just the single reported email.

Examine the email safely

Never click. Work from the raw message. Read the headers: the true sending IP and path, and the results of SPF, DKIM, and DMARC, which tell you whether the sender domain was authorized and the message untampered. Check the display name versus the actual address (spoofing and lookalike domains), and look for the usual social-engineering cues — urgency, mismatched reply-to, credential-harvesting pretexts.

Extract URLs and inspect them with reputation services or a sandbox/detonation environment rather than your own browser. Detonate attachments in a sandbox to observe behavior. Defanged indicators (hxxp://) keep you from clicking by accident.

Scope the blast radius

This is the step juniors forget. Search the mail gateway and SIEM: who else received this or similar messages? Did anyone click the link or open the attachment? Did anyone submit credentials on the landing page? One report usually represents a campaign hitting many inboxes.

Remediate proportionally

Purge the message from all affected mailboxes, block the sender domain, URLs, and file hashes at the gateway and proxy, and add indicators to detection. If credentials were entered, treat it as account compromise: reset passwords, revoke sessions, and watch for follow-on logins.

Document and close

Record indicators and conclusions so the next similar email is handled faster.

Why this matters

Safe handling plus scoping shows judgment. An analyst who treats one phishing report as a potential org-wide campaign — and never detonates a payload on their own machine — is exactly who interviewers want triaging the inbox.

Likely follow-ups

  • What do SPF, DKIM, and DMARC each tell you about a sender?
  • How would you scope the blast radius across the whole organization?
  • What do you do differently if someone already entered their credentials?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.