Trace the Phish: Pivoting from Email to DNS to Server IP

OSINT Level 2/5 ~3 min 2026-07-02

The challenge

A user reported this phishing email. Open the sources and correlate them: the email links to a domain, the domain has a DNS record, and a leaked config mentions the same host. Find the address the phishing site actually runs on and submit that IP.

What you'll learn

  • Pivot across independent sources (email, WHOIS, DNS, paste) to build a picture
  • Read a phishing email's headers and link for the attacker's domain
  • Resolve a hostname to its A record and recognise it as the real infrastructure
  • Spot a freshly registered look-alike domain as a phishing indicator

Skills tested

OSINT pivotingDNS and WHOIS readingPhishing triage

Prerequisites

  • Basic understanding of email, domains, and DNS records
  • Awareness of phishing

How it works

Investigating a phishing report is an exercise in pivoting: no single artifact tells the whole story, so you connect independent sources until they point at the same thing. You start with what the victim received and follow it outward to the attacker's infrastructure.

The email is the entry point. Its display name impersonates IT, but the real signal is the link domain, acme-verify.co - a look-alike of the legitimate brand. The WHOIS corroborates the threat: the domain was registered only days ago and hides behind privacy, both hallmarks of a throwaway phishing domain. The decisive pivot is DNS: resolving the phishing hostname secure-login.acme-verify.co gives an A record, and that IP - 203.0.113.66 - is the actual machine serving the fake login page. The leaked kit config is independent confirmation: it lists the attacker's admin panel on the same IP.

The OSINT board presents each source as a card you open and read. The intel you want is not on any one card by itself; it emerges when the email's domain, the DNS A record, and the paste all line up on one address. That address is what a defender blocks at the firewall and reports to a takedown service.

Common mistakes

  • Submitting the domain instead of the IP. The question asks where the site runs - resolve the hostname to its A record.
  • Trusting the From display name. 'IT Support' is spoofable; the link domain is the evidence.
  • Reading one source in isolation. The answer comes from connecting the email's host, the DNS record, and the paste.
  • Ignoring the registration date. A domain created days ago is a strong phishing indicator worth noting.

How to defend against it

Defensively, the recovered IP and domain feed directly into response: block them, hunt for other users who clicked, and submit a takedown. The freshly registered look-alike is the kind of indicator that newly-registered-domain detections and brand-monitoring catch early.

  • Block the malicious domain and IP at the mail gateway and firewall, and hunt logs for prior contact.
  • Monitor for newly registered look-alike domains of your brand.
  • Report phishing infrastructure to the hosting provider and a takedown service.

Full solution

Pro and Max members unlock the complete step-by-step walkthrough.

Go Pro

Community stats

69 completions
90% success rate
M2F14M3 First blood
15,000+ Hackers 100+ Labs & Courses Free
Start Hacking Free