Deconstructing Phishing Attacks and Email Analysis”

Ravitej Bandlekar
6 min readNov 7, 2023
Source: vipre.com

Spam and phishing are prevalent forms of social engineering attacks, with a specific focus on email as a common attack vector. Spam emails, despite their origins dating back to 1978, continue to inundate our inboxes, often bypassing filters and security measures. On the other hand, phishing is a grave concern that organizations must defend against. Even with robust security strategies in place, the actions of a single unwitting user can provide attackers with a foothold in the corporate network, typically through clicking on malicious links or downloading harmful attachments.

While numerous security products aim to combat spam and phishing, the reality is that some of these malicious emails can still slip through the cracks. As a Security Analyst, it becomes crucial to analyze these emails when they do breach the defenses to determine their nature, whether they are malicious or benign. This analysis is not only for immediate mitigation but also to gather essential information about the email, which can be used to enhance security products and prevent similar malicious emails from reaching users’ inboxes in the future. In the constant battle against cyber threats, the ability to scrutinize and understand these email attacks is a vital component of maintaining a secure corporate environment.

Email phishing stands as a primary catalyst for various cyber-attacks. In this deceptive tactic, unsuspecting users are lured into opening and interacting with seemingly authentic files and links sent via email. Consequently, cyber adversaries gain access to their victims’ systems, introducing malware, exfiltrating sensitive credentials and personal information, and engaging in activities like financial fraud and launching ransomware attacks.

Malicious emails can be classified into several categories:

  1. Spam: These are unsolicited and widespread junk emails sent to a large number of recipients. A more malicious form of spam is known as “MalSpam.”
  2. Phishing: Phishing emails impersonate trusted entities to trick individuals into revealing sensitive information.
  3. Spear Phishing: Going a step further, spear phishing targets specific individuals or organizations, aiming to acquire sensitive data.
  4. Whaling: Whaling is a variation of spear phishing, focusing on high-level C-suite individuals (such as CEOs and CFOs) with the same objective.
  5. Smishing: Smishing adapts phishing for mobile devices, using tailored text messages to target mobile users.
  6. Vishing: Vishing is similar to smishing but relies on voice calls, rather than text messages, for social engineering attacks.

These diverse forms of malicious email attacks vary in their level of specificity, all with the common goal of deceiving recipients and extracting sensitive information.

Phishing emails commonly share the following characteristics:

  • Email Spoofing: They often disguise the sender’s email name/address to mimic a trusted source.
  • Urgent Language: These emails employ a sense of urgency or keywords like “Invoice” or “Suspended” in the subject line or body.
  • Mimicked Design: The HTML email body is crafted to resemble a reputable entity, such as Amazon.
  • Poor Formatting: Contrary to the previous point, some phishing emails exhibit poorly formatted or poorly written content.
  • Generic Content: They use generic salutations like “Dear Sir/Madam.”
  • Hidden Hyperlinks: Phishing emails frequently contain hyperlinks, sometimes using URL shortening services to obscure their true origin and URL shortening services.
  • Malicious Attachments: They may include harmful attachments posing as legitimate documents.

Email Security:

Email authentication and security techniques such as SPF, DKIM, and DMARC are used to combat email spoofing, phishing, and other email-related risks. These techniques operate together to ensure the authenticity and dependability of email messages.

SPF (Sender Policy Framework)

  • SPF is an email authentication standard developed to combat email spoofing by allowing domain owners to indicate which mail servers are authorized to send emails on their behalf.
  • It works by establishing a DNS record (TXT record) for the sender’s domain that lists the IP addresses or hostnames of authorized email servers.
  • When an email is received, the recipient’s email server verifies the SPF record of the sender’s domain to ensure that the sending server is authorized to send emails on behalf of that domain. If the verification fails, the email may be marked as suspicious or rejected.

DKIM (DomainKeys Identified Mail)

  • DKIM is another email authentication mechanism that employs cryptographic signatures to validate the integrity and authenticity of email communications.
  • When an email is sent, the sender mail server signs it with a private key and adds a DKIM signature to the message header. The sender’s DNS records contain the public key necessary for signature verification.
  • The sender’s public key can be used by the recipient’s email server to validate the DKIM signature and ensure that the email was not tampered with during transit.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

  • DMARC is a policy framework that extends SPF and DKIM to provide further protection against email spoofing and phishing.
  • A domain owner can use DMARC to define which email authentication procedures (SPF and/or DKIM) must be fulfilled for emails coming from their domain, as well as the actions to be performed if these checks fail (e.g., rejecting or quarantining the email).
  • DMARC also includes reporting capabilities that offer feedback on the status of emails sent from the domain, allowing domain owners to monitor and fine-tune their email authentication rules.

Primary analysis:

Prior to delving into the subject, it’s essential to grasp that an email comprises two distinct components:

  • The email header, which contains information about the email, including details about the email servers through which it passed.

An email header, also known as an internet header, is a set of metadata that comes with every email. It contains various details such as the sender’s and receiver’s information, the path the email took, timestamps, and more. Email service providers and mailbox systems use these headers to verify the legitimacy of email senders and correctly place emails in the recipient’s inbox.

The content of email metadata is automatically generated, and while there are established standards for what it should include, there are no restrictions on what additional information a mail server can include in it.

Here is an extra source from Media Temple that provides guidance on how to examine email headers:

You can access this resource at the following link: https://mediatemple.net/community/products/all/204643950/understanding-an-email-header

  • The email body, which encompasses the text and potentially HTML-formatted content of the message.

What specific signs or elements do we seek when evaluating a potentially harmful email?

A. Which social media platform or well-known website is the attacker attempting to impersonate in the email?

B. What is the subject of the email, and do you find it to be suspicious?

C. What is the email address of the sender?

D. What is the email address of the recipient?

E. What is the return-path email from the header?

F. What is the IP address of origin?

  • What is the domain listed for the IP address, and can you provide the customer name associated with it?
  • Reverse lookup of the sender IP address.
  • Utilize online tools like Cisco Talos, VirusTotal, IBM X-Force, and IPvoid to obtain the information mentioned above.

https://talosintelligence.com/reputation_center
https://exchange.xforce.ibmcloud.com/

https://www.virustotal.com/gui/home/upload

G. Are there any files attached to the email?

  • What is the name of the attachment?
  • What is the file extension of the attachment?

H. Do you see any embedded hyperlinks, such as those containing the text “Click here,” in the email?

  • What is the URI for the blocked image or embedded hyperlink, as found in the email header?
  • Once you’ve located it, you can utilize online threat intelligence tools to uncover reputation details, determine the domain it redirects to, and identify the IP address associated with the hyperlink.
  • What is the root domain of the URL?

I. What technique was used to persuade the victim to not ignore the email and act swiftly?

J. What is the SPF record for the domain?

F. What is the DMARC record for the domain?

Tools Used for Analysis:

Header analysis:

  1. Messageheader from google

https://toolbox.googleapps.com/apps/messageheader/analyzeheader

2. Message Header Analyzer (mha.azurewebsites.net)

3. https://mailheader.org/

IP Reputation and information:

  1. https://ipinfo.io/
  2. https://talosintelligence.com/reputation
  3. https://exchange.xforce.ibmcloud.com/
  4. https://www.virustotal.com/gui/
  5. https://www.ipvoid.com/

URL analysis:

  1. https://urlscan.io/
  2. https://www.wannabrowser.net/
  3. https://www.url2png.com/

URL extractor:

  1. https://www.convertcsv.com/url-extractor.htm
  2. https://gchq.github.io/CyberChef/

File Reputation:

  1. https://talosintelligence.com/talos_file_reputation
  2. https://www.virustotal.com/gui/
  3. https://www.reversinglabs.com/

Malware Sandbox:

  1. https://app.any.run/
  2. https://www.hybrid-analysis.com/
  3. https://www.joesecurity.org/

Phishing analysis:

A tool that will help with automated phishing analysis is PhishTool.
https://www.phishtool.com/

Additional tools:

To gain a more practical understanding of analyzing phishing emails, you can explore the rooms available on TryHackMe that cover this topic. These rooms will provide hands-on experience and guidance for dissecting and assessing phishing emails.

Let’s connect?

LinkedIn: www.linkedin.com/in/ravitejmbandlekar

--

--