Phishing Email Analysis

Types of Malicious Emails

• Spam: unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.

• Phishing: emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information.

• Spear phishing: takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.

• Whaling: is similar to spear phishing, but it's targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.

• Smishing: takes phishing to mobile devices by targeting mobile users with specially crafted text messages.

• Vishing: is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.

• Quishing: Also known as QR Code Phishing, uses QR codes to lure unsuspecting users to scan the QR code and redirect them to a phishing website.

Characteristics of Phishing Emails

• The sender email name/address will masquerade as a trusted entity (email spoofing).

• The email subject line and/or body (text) is written with a sense of urgency or uses certain keywords such as Invoice, Suspended, etc.

• The email body (HTML) is designed to match a trusting entity such as Banking/e-commerce websites.

• The email body (HTML) is poorly formatted or written (contrary from the previous point).

• The email body uses generic content, such as Dear Sir/Madam.

• The email body only shows an image, hyperlink, or QR code without any further context or information.

• Hyperlinks (oftentimes uses URL shortening services to hide its true origin).

• A malicious attachment posing as a legitimate document.

Email Header Analysis

• Gather for the following header information:

  • From: Sender’s email address.

  • Subject: Email’s subject line.

  • Date: Date when the email was sent.

  • To: The recipient’s email address.

  • X-Originating-IP: The IP address of the email was sent from. This is known as an X-header.

  • Smtp.mailfrom / header.from: The domain the email was sent from (these headers are within Authentication-Results).

  • Reply-To / Return-Path: This is the email address a reply email will be sent to instead of the From email address.

  • Received: Contains the address of each server the email has passed through and the date and time when it left the server.

  • Sender IP Address

    • Use IP Information Look up tools to gather relevant IP information such as location, owner, etc.

  • Use Reverse IP Lookup tools to get the root domain of the IP.

  • Utilize Email Header Anaylzer tools to easily view email headers.

• Is the display name is similar to the From address: John Doe ([email protected])?

  • Phishing emails tend to have different display name and From address: Bill Gates ([email protected]).

  • Threat actors trick users by posing as a known user by changing the display name.

• Are the Reply-To / Return-Path and From address the same?

  • If the email is legitimate, we should expect that Return-Path and From are the same.

  • When the sender address is spoofed, threat actors sometimes sets the Return-Path address to an address that they control so that the replies will go to them instead of the sender address.

  • There are exceptions to this, sometimes companies are set up to have different reply-to in their emails.

• Was the email sent from the correct SMTP server?

  • Check the Domain’s MX and SPF records by using SFP/DKIM/DMARC Lookup tools.

  • Verify if the sender IP matches to the IPs listed in the sender domain’s SPF record.

  • The Received-SPF and Authentication-Results field tells you if the sender has pass/failed the SPF check.

  • You can also use the Received field to identify the routes/servers the email passed through. This allows you to determine if the email has passed through potentially malicious servers.

• Check for Sender IP reputation

  • Check if the sender’s IP has been reported for malicious activity previously.

  • Utilize IP reputation tools

    • When using VirusTotal, double check if the IP/Domain/URL/File has been scanned previously. Threat actors sometimes trick analyst by scanning their files/domain when it is still benign so that the result will come back as clean. Always click the rescan button to initiate a fresh scan of the target.

• Check Whois info of the sender domain

  • Check if the sender domain was registered recently. If the domain is recent, there’s a high chance that the sender is not legitimate.

  • Whois Lookup tools

Email Body Analysis

• View Source code

  • If the email is formatted as HTML, you can view the email’s source code. The process of viewing may vary depending on the webmail client.

• View PDF attachment from source code

  • If the Content-Transfer-Encoding is base64, you can decode that and reconstruct the PDF.

  • You can use CyberChef to decode base 64 and Save the output as PDF.

• Perform Text Analysis on the contents of the body.

  • Check the language and tone of the message. Is the language used formal or informal? The use of informal, imprecise language is a common indicator of phishing emails. Phishing emails will often address the recipeint as sir/ma'am, while emails from legitimate senders will always address you using your name or username.

  • Check the urgency of the message. Does the email request urgent action? Phishing emails often use phrases that force the recipient to take immediate action.

  • Check for threatening phrases. Does the message contain threatining phrases, such as account suspension/deletion, sensitive files were exfiltrated, sensitive info will be leaked, etc. Such phrases are designed to provoke an emotional response from the recipient, causing them to act impulsively.

  • Check for grammatical errors. Does the message contain grammar mistakes? Phishing emails often have grammatical errors, however with recent improvements in AI, grammatical errors might no longer be present in newer phishing campaigns.

• Gather links in the email

  • Analyze links. Does the link sent take you to a reliable source?

  • Avoid clicking on the link and instead hover over it to reveal the URL. You may also try right click and copy link.

  • Before pasting the link to the analysis tools/Sandbox verify if there are any user information such as email address in the parameter of the URL (/[email protected]). This is to avoid alerting the attacker that the email is valid.

  • The attacker might also encode the parameter values in base64 (/?email=am9obkBjb250b3NvLmNvbQ==).

  • It is recommended to try to change the parameter to another value or remove the parameter entirely from the URL before pasting the link to the tools.

  • When adding links to your report, you must defang them first to avoid accidentally clicking the malicious link. Use URL Defang tools to make the link unusable.

  • Utilize URL Extractor tools to easily extract all possible URLs inside the email.

  • If the email contains QR code instead of URLs, you can use QR Code scanner tools to extract the URL from the QR Code.

• Perform Phishing Detection and Analysis

  • Utilize online Phishing Detection and Analysis tools to assist you in analyzing possible phishing emails and links.

• Perform Static Analysis on Links/Domains

  • Using IP/Domain reputation Tools, verify if the domain/links have been reported previously.

• Perform Dynamic Analysis on Links/Domains to further gather more information.

  • Virtual Browsers

  • Online Sandbox

• Obtain Attachment

  • Download and Save the attachment to a sandbox environment for further analysis. Be careful not to click on any links or attachments in the email accidentally.

  • Get the file’s hash for further analysis and to compare with hash values in various malware databases.

    Linux

    Copy

    sha256sum [FILE]

    Windows

    Copy

    Get-filehash -Algorithm SHA256 [FILE] | Format-List

• Analyze attachment for malicious contents

  • Utilize File Reputation lookup tools to check whether the file has been reported previously by providing the file’s hash.

  • Utilize Online Sandbox to anaylze the file for potentially malicious processes and Indicators of Compromise (IOCs).

  • Please be aware when uploading attachments/files to File Reputation lookup tools and Online Sandboxes. These tools stores/shares the result of your submission. You may not want to share files with sensitive information.

Additional Phishing Techniques

Cloud Storage Services

Attackers may use cloud storage services such as Google Drive, OneDrive, SharePoint, Dropbox, etc. to store their payloads. This is to trick users into clicking on Google Drive or OneDrive links as those appear harmless and came from a legitimate entity (Google, Microsoft) to trick users into downloading malicious files.

Subdomains and Pages

Attackers try to deceive users, security products, and analysts by creating a free subdomain or pages from services from Microsoft, WordPress, Blogspot, Wix, Google pages, etc. Since Whois information cannot be searched as a subdomain, analysts can be tricked that these addresses have been taken in the past and belong to legitimate organizations such as Microsoft, WordPress, Google, etc.

Form Applications

Various platforms allow for form creation, which attackers use instead of developing their own phishing sites. The domain is normally harmless, thus it can be sent to the user without triggering security scanners. A popular service is Google Forms. As the Whois information shows that it is from a legitimate entity, the attacker can mislead analysts, which is why it is important to perform dynamic analysis of these kinds of links as well.

Tools

Email Header Analyzer Tools

• MSFT: https://mha.azurewebsites.net/

• MXToolbox: https://mxtoolbox.com/EmailHeaders.aspx

URL Defang Tools

• Defang Tool: https://defa.ng/

• CyberChef Defang URL:https://gchq.github.io/CyberChef/#recipe=Defang_URL(true,true,true,'Valid domains and full URLs')

SPF/DKIM/DMARC Lookup Tools

• EasyDMARC: https://easydmarc.com/tools

• MXToolbox: https://mxtoolbox.com/SuperTool.aspx#

• DMARCIAN Domain Checker: https://dmarcian.com/domain-checker/

IP Information Lookup Tools

• IPinfo: https://ipinfo.io/

• IPLocation.io: https://iplocation.io/

Reverse IP Lookup Tools

• DNSChecker Reverse IP Lookup: https://dnschecker.org/reverse-dns.php

• MXToolbox: https://mxtoolbox.com/ReverseLookup.aspx

Whois Lookup Tools

• Whois: https://www.whois.com/whois/

• ICANN Lookup: https://lookup.icann.org/en

• DomainTools: https://whois.domaintools.com/

URL Extractor Tools

• CyberChef:https://cyberchef.io/#recipe=Extract_URLs(true,true,true)

• ConverCSV URL Extractor: https://www.convertcsv.com/url-extractor.htm

• Browserling URL Extractor: https://www.browserling.com/tools/extract-urls

• MiniWebtool URL Extractor: https://miniwebtool.com/url-extractor/

QR Code Scanner Tools

• ScanQR: https://scanqr.org/

• QR Code Scanner: https://www.imagetotext.info/qr-code-scanner

IP/Domain Reputation Tools

• AbuseIPDB: https://www.abuseipdb.com/

• SOCRadar: https://socradar.io/labs/soc-tools/ip-reputation

• APIVoid: https://www.apivoid.com/tools/ip-reputation-check/

• Cisco Talos Intelligence: https://www.talosintelligence.com/reputation_center

• Spamhaus: https://www.spamhaus.org/ip-reputation/

• VirusTotal: https://www.virustotal.com/gui/home/upload

• URLScan.io: https://urlscan.io/

• Islegitsite: https://www.islegitsite.com/

File Reputation Lookup Tools

• Cisco Talos Intelligence: https://talosintelligence.com/talos_file_reputation

• VirusTotal: https://www.virustotal.com/gui/home/upload

Virtual Browsers

• Browserling: https://www.browserling.com/

• Wannabrowser: https://www.wannabrowser.net/

• Kasm Workspaces: https://www.kasmweb.com/

• Rammerhead Browser: https://browser.rammerhead.org/

Online Sandbox

• Joe Sandbox: https://www.joesandbox.com/#windows

• AnyRun: https://any.run/

• HybridAnalysis: https://www.hybrid-analysis.com/submissions/sandbox/urls

• VirusTotal: https://www.virustotal.com/gui/home/upload

Phishing Detection and Analysis Tools

• PhishTool: https://www.phishtool.com/

• OpenPhish: https://phish.report/contacts/OpenPhish

• SOCRadar: https://socradar.io/labs/soc-tools/phishing-radar

• PhishTank: https://phishtank.org/

• DNSTwist: https://dnstwist.it/

• URLScan.io: https://urlscan.io/

Other Resources

• https://github.com/counteractive/incident-response-plan-template/blob/master/playbooks/playbook-phishing.md

• Phishing investigation | Microsoft Learn

• https://www.socinvestigation.com/how-to-spot-a-phishing-email/

• https://www.socinvestigation.com/how-to-check-malicious-phishing-links/

• https://www.socinvestigation.com/email-header-analysis-use-cases-including-spf-dkim-dmarc/

• https://www.socinvestigation.com/dnstwist-tool-proactive-approach-for-handling-phishing-cases/

• https://www.socinvestigation.com/cooking-malicious-phishing-email-headers-with-cyberchef/