This playbook helps with the early stage triage of user-reported phishing submissions by alerting the analyst to the possibility of a look-alike domain in the Phisher's email address.

The Email Domain Spoofing Detection playbook looks to find a similarity match between the Phisher's sender email domain with a trusted domain name exists in the observable repository. When a spoofed sender email domain match has been identified by the playbook, the analysts are alerted with a tag.

The workflow is created based on an existing playbook, which provides a consistent and efficient approach for incident investigation. Each decision point in the playbook has been converted into an outcome driven task and flow changes direction based on the outcome of such tasks.