An Incident Response perspective on the real difference between Spam and Phishing

An Incident Response perspective on the real difference between Spam and Phishing

This article was first published on the Palo Alto Networks Live Community

Disclaimer: All data and pictures within this blog posts have been taken from the Palo Alto Networks Cortex XSOAR Platform. XSOAR is a high customisable and scalable incident response platform which can help you improve, automate and support your Security Operation Center. A community edition is available for you to try out.

Email spam, unsolicited, undesired, or illegal email messages

Is the short definition as displayed by Wikipedia when you look for the definition of Spam. From an Incident Response perspective, this gives us a lot of room on how to work with and respond to SPAM emails, let me explain…

What do you think is the difference between Spam, Phishing, Spear Phishing or whaling? To me personally: Initially, Nothing

Some spam from last night

Phishing is just another classification of Spam

To me it is a simple as that. Most vendors of email security will not obfuscate that there is no real difference. While Spam in most cases simply tries to trick you in clicking advertisement or creating click-stream on a certain website, there is a gray zone where there is some malicious intend. This could start with a simple Scam, where the advertisment isn’t real and they simply want to trick you in sending money or it goes into the next step where they try to steal information or want to add some nice malware to your system.

All in all, it all starts with an email.

Which leads to the conclusion, that Spam and every form of phishing have more in common than they have apart. Mainly

  • Vector (or attack vector), which is mainly email in all cases
  • Medium, which is still email but also means that our investigation and intelligence share the same methodology

So when you think about it from a response perspective you will see that our response isn’t that different. A standard response playbook for Phishing will also work for Spam. And finally

  • Report, both (Spam and Phishing) will be reported the same way, so it makes sense to respond the same way and change the classification and action later on

I am always opting for the same analytics and focused response. Meaning that you try to standardise the analytics and triage part of the security operation and after that take very specific actions based on your findings in the remediation part.

Simple XSOAR playbook

The following playbook runs on my private machine. For fun (and blog posts) I operate a very small instance of XSOAR and basically feed it with all the suspicious emails of the family.

Running a small instance (from hardware resources) also means that I do not want to spend all resources of the machine if I do not need to. So the playbook follows a very easy idea

  • Extract and Enrich all indicators
    The first part of the Playbook focuses on extracting all indicators from the email itself as well as the attachments
  • Postmark / Spamassassin Score
    Next is to get the spamasassin score. Spamassasssin is a tool created by the Apache Foundation which runs basic checks against the email header and comes back with a score. In my scenario I am using Postmark, which is a free and out of the box API integration giving you the same score

Based on these two enrichments I am deciding on the next steps

  • Is it Spam?
    Postmark will reply with
    Score < 0: If the email was deemed Legit
    Score > 0 If the email was deemed Spam
  • DBotScore Average
    XSOAR has a build in function called DBot Average Score. Which is a simple mathematical trick of how we score. So it will really take the average (Sum of all scoring decided by indicators), which also means that the score will be higher the more malicious indicators are found. also meaning that if there is at least one malicious (3) indicator the Score can never be 0 (Benign)

Now we can decide on the next steps, which mainly splits into if we perform a Full Run of the Out of the box Phishing playbook created by the Cortex XSOAR team, ask the user what he thinks or close the incident

Close Investigation

The simplest step we have. This action will be performed if

  • Postmark score is larger than 2

If we have a scoring like this, this actually means that this is most likely a real spam emails. The Email has most likely been reportyed by an user cause he found it to me Spam or we have fetched it from a Spam folder somewhere.

As a possible next step we could update our blocklists ore remove such emails from the different mailboxes.

Run Phishing Investigation

The next step is of course to go all out and perform a full investigation. So what is a good indication that you should do that, to me it comes down to

  • DBot Score is somewhere around 1 or 0 or more (Unknown or Benign), which basically means that all indicators we have seen are okay and would not have been blocked already by a Firewall or Proxy.
  • Postmark Score is below 0, which means that the email found has not been identified as Spam at all. Which is a good indication for it not being Spam and it might being something else, like Phishing or legit.

In these cases I run the full investigation to be sure. Besides providing more information, cause the playbook will go deeper and extract more data and also uses more enrichment sources, it will also populate our Incident Response layout with more data which can help the analyst to make a decision

Some spam from last night

As you can see in the picture, the full investigation will give us screenshots of the email, all the urls and even of the attachments. With the indicator overview this will be enough to support an educated decision by the analyst.


Circling back to the beginning, I hope the simple approach also shows why I think that Spam can be a good major category and the rest is just classification or “close reason” after you finished your investigation.

From an incident response perspective it does not make much sense to worry about the detailed classification of the email right from the get go as a lot of the data you would need in order to make an educated decision actually will not be available to you before you performed an initial investigation and enrichment.

So possible classifications or close reasons

  • Spam, is its Own Classification
  • Legitimate, meaning the investigation did not show any ill intend
  • Malicious, means it was Phishing or worse and will further be classified in one of the Phishing Sub-Types
Some spam from last night

The Full playbook

Below I post a picture of the full playbook. I am happy to share the content pack, please feel free to reach out

Some spam from last night

Thanks for reading until the end, have a lovely day, a lot of fun and please be excellent to each other