Audit and system logs are the best resource to use to start the investigation of an email phishing campaign against a company’s email server. Audit and system logs are records of events and activities that occur on a system or a network, such as user login, file access, configuration changes, or network traffic. Audit and system logs can help an incident response team to identify the source, scope, and impact of the phishing attack, as well as to collect evidence, trace the attack steps, and determine the root cause. Audit and system logs can also help the incident response team to evaluate the security posture and controls of the email server, and to recommend remediation and mitigation actions12