Patterns for NTA
Phishing is classified as Technique ID 1598 (T1598), and it contains three sub-techniques: Spearphishing Service, Spearphishing Attachment and Spearphishing Link.
The NIST phishing incident response playbook gives the context and purpose for which patterns will be re-useful for in NTA.
Packet capture
Narrow down a packet output using SMTP status codes: smtp.response.code
Message for status code 220:
<domain> Service ready
Blocked email: 553, mailbox name not allowed
Status code typically preceding a SMTP DATA command: 354
Traffic analysis
Standard smtp port: 25
Initial filter: smtp