SANS Challenge Demonstrates Phishing IOC Extraction

Ed Skoudis and the SANS Holiday Hack Challenge present an interactive exercise (dated Dec 25, 2025) that guides participants through triaging a phishing email. The article walks through an email sample, full headers, and an interactive dashboard to extract indicators of compromise—domains, IPv4 addresses, and URLs—using tailored regex patterns and examples.
Key Points
- 1Extracts domains, IPv4 addresses, and URLs from a phishing email using tailored regex patterns.
- 2Highlights common regex pitfalls and shows stricter patterns to reduce false positives like filenames.
- 3Advises analysts to remove known friendly IOCs and validate matches before blocking or remediation.
Scoring Rationale
Practical, actionable regex guidance boosts analyst effectiveness; limited novelty and narrower scope to phishing triage.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
