Multi-Source Phishing Email Analysis

Overview

A comprehensive phishing triage playbook that runs suspicious emails through three threat intelligence sources in parallel: EmailRep for sender reputation, URLScan.io for URL analysis, and VirusTotal for attachment hashing and URL scanning. Aggregates the findings into a single security report.

Who this is for: Tier-2 SOC analysts doing deeper phishing triage than VirusTotal alone provides

Why automate this

Single-source phishing triage misses indicators that another tool would catch. Running EmailRep, URLScan, and VirusTotal in parallel gives you defense-in-depth at the analysis stage. Each tool contributes a different lens, and the aggregated verdict is far more reliable than any single source.

How it works

1. 01

   Retrieve the suspicious email from the inbox

2. 02

   Extract sender email, URLs, and attachments

3. 03

   Submit the sender to EmailRep for reputation scoring

4. 04

   Submit each URL to URLScan.io for deep analysis

5. 05

   Submit URL reputations to VirusTotal in parallel

6. 06

   Hash each attachment and look up in VirusTotal

7. 07

   Aggregate all three verdicts into a unified threat score

8. 08

   Generate a structured report for the analyst

Impact

• Three-source verdict reduces false negatives significantly

• Parallel execution keeps total runtime under 30 seconds

• Structured report means consistent analyst handoff

• Each verdict is logged for trend analysis and tuning